Support Troubleshooting

                      Troubleshooting Nxlog

                      Troubleshooting Nxlog

                      Use these tips to troubleshoot problems with Nxlog. You can check the nxlog configuration, send sample data, and check connection. Additionally, you can read the Nxlog Configuration docs.

                      Wait a Few Minutes

                      Wait a few minutes after sending an event to give it time to index and appear in the search results. It normally happens within seconds, but sometimes it can take longer.

                      Check Loggly Status

                      If Loggly isn’t seeing data check our status page to make sure we are indexing data and search is running. You should see green dots and “All Systems Operational”.

                      Restart Nxlog

                      Make sure you restarted nxlog so your changes in nxlog configuration file take effect. Open the Services tool in the Start menu, find nxlog in the list, and then restart the service.

                      Check your Nxlog configuration

                      Make sure you don’t see any of these common configuration problems:

                      • Check to make sure that you replaced the customer token in nxlog configuration file.
                      • If you are on 32-bit Windows make sure you replaced the ROOT and ROOT_STRING variables

                      Check Nxlog log file

                      If your logs haven’t made it to Loggly yet, open up the nxlog log file and see what’s going on: C:\\Program Files*\\nxlog\\data\\nxlog.log

                      Debug Output

                      In order to see what’s actually sent over to Loggly, edit your nxlog configuration file: Add this section with the other Extensions:

                      <Extension fileop>
                          Module   xm_fileop

                      This line should go into the Output module that you’re debugging:

                      Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log",  $raw_event);

                      Check Connection

                      Sample Error Messages:

                      2013-06-04 16:35:59 ERROR couldn't connect to tcp socket on; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 
                      2013-06-04 16:36:00 INFO connecting to
                      2013-06-04 16:36:21 INFO reconnecting in 2 seconds

                      If you see an error connecting to “tcp socket on”, you’ve probably got an issue with the configuration file. Make sure that you’re editing the configuration file as “Administrator”, this means that you should actually open up text editor as Administrator.

                      Check Directory Path

                      Sample Error Messages:

                      2013-06-04 20:46:48 WARNING nxlog-ce received a termination request signal, exiting...
                      2013-06-04 20:57:10 ERROR failed to open C:\Program Files (x86);xlog\data;xlog.log; The filename, directory name, or volume label syntax is incorrect. 
                      2013-06-04 20:57:10 INFO nxlog-ce-2.4.1054 started

                      When you designate a directory path, be sure to escape any special characters, including back slashes.

                      File  "C:\\Program Files (x86)\nxlog\data\nxlog.log"


                      File  "C:\\Program Files (x86)\\nxlog\\data\\nxlog.log"

                      Check Nxlog Configuration

                      Sample Error Messages:

                      2013-06-04 21:36:28 ERROR file is already defined at C:\Program Files (x86)\nxlog\conf\nxlog.conf:34
                      2013-06-04 21:36:28 ERROR module 'file_watch' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:58
                      2013-06-04 21:36:28 WARNING not starting unused module file_watch

                      Each input module can only reference one source.Create unique names for each of the input streams. For example:

                      <Input python_logs>
                         Module   im_file
                         File     "C:\\Your Project\\Python\\mylog.log"
                         SavePos  TRUE
                      <Input apache_logs>
                         Module   im_file
                         File     “C:\\Program Files (x86)\\Apache Group\\Apache2\\logs\\error.log”
                         SavePos  TRUE

                      Double check that your Route module has the complete list of Input modules. For Example:

                      <Route 1>
                         Path internal, python_logs, apache_logs, eventlog => out

                      Check Using Wireshark

                      Wireshark is network protocol analyzer. It lets you see what’s happening on your network. You can track network traffic to Loggly on port 514 and see if anything is going wrong. You can use the following filter query in the Wireshark.

                      tcp.port == 514

                      Still Not Working?

                      Thanks for the feedback! We'll use it to improve our support documentation.