Windows – NXLOG File Input Search Patterns

logginglogstashvmware-vcenterwindows

I'm trying to use nxlog to forward vCenter messages to Logstash with the im_file input module and a pattern to specify the exact file(s) to watch. What would normally be simple is now needlessly complicated as vCenter's log rotation compresses the log and then increments the filename when the next log file is created. For example:

vpxd-1.log -> vpxd-1.log.gz -> vpxd-2.log

I want to forward messages from the vCenter vpxd.log log:

*vpxa(\.log|\.\d+(\.gz)?|-\d+\.log(\.gz)?)

Best Answer

Since vCenter logs are formatted differently from the ESXi logs, I decided to use Logstash instead of nxlog. I'll be setting up local filters in the forwarder to convert vCenter messages into a similar format as the ESXi messages.

See this guide for more info about running Logstash as a Windows service.

Service config:

C:
cd \logstash
set HOME=c:/logstash/sincedb
"C:\Program Files\Java\jdk1.7.0_45\bin\java.exe" -jar logstash-1.2.2.jar agent --config logstash.conf --log logstash.log

Logstash Config:

input {
  file {
    path => [ "C:/vmware_logs/vpxd-[0-5][0-9].log", "C:/vmware_logs/vpxd-alert-[0-5][0-9].log" ]
    type => "syslog"
    exclude => "*.gz"
  }
}

output {
  udp {
    host => "<address>"
    port => "514"
  }
  stdout {
    debug => true
  }
}

Best Answer

Related Solutions

Windows – How to find what process is holding a file open in Windows

How to send ip address to logstash using input as “file”

Related Topic