- I have a Windows application, let's name it MyApp.
- MyApp creates important log files on my server without using the Event Log. These log files are simply textfiles (i.e. logfile.txt)
- For compliance purposes, I have to send these log files to a remote syslog server.
- The compliance auditor wants me to ensure that these log files are always sent no matter what.
The two products that I used to implement this are neologger and NSSM:
- Neologger reads a file (as a mater of fact, it tails it) and sends it to a syslog server.
- NSSM is a software that lets you wrap any application (in our case, Neologger) in a Windows service.
What is "tailing" a file?
Unix administrators are familiar with the tail command: it follows a text file, grabbing new entries at the end as they come in. Neologger, basically replicates what "tail file.log | logger" would do on Unix.
Using Neologger
Neologger is, in essence, a simple and reliable tool. It will tail a text file endlessly, and it automatically detects if that file is deleted, shrunk or rotated, which ensures a reliable operation. To use it, simply try:# neolog.exe -r logfile.txt -tail -t syslog_server -d
This will tail file logfile.txt and send it to syslog_server. Many other command-line options are available. Note the -d option; this is a debug option that lets you see what it does, you normally would not want it there.
The first thing you need to do is therefore to craft a command-line as above, but specific for your application. Here is a more complete example:
# "C:\Program Files\neolog\neolog.exe" -r "C:\ProgramData\My App\logfile.txt" -tail -t mysyslogserver.company.com -p 1234 -d
This will tail logfile.txt and send it to mysyslogserver.company.com on port 1234. Once it works for you, remove the -d option.
Wrapping Neologger with NSSM
Now, the next question is, how do I ensure that neolog.exe runs reliably? The answer is to configure Neologger as a service under Windows. It's easier to manage as a service and the operating system will ensure that it restarts appropriately if it ever crashes. That's where NSSM comes into play. NSSM (Non-Sucking Service Manager) is a tool that lets you wrap almost any application as a service.# nssm install MyApp-Syslog
This will create a new service named MyApp-Syslog. Then, fill the Path, Startup directory, and Arguments as appropriate (don't forget to remove -d as it is not required here). Here is an example:
You don't need to change anything in the other tabs, but you can take a look in case you need to fine-tune something.
Now you can try starting the MyApp-Syslog via the service panel, and see if it works.
What happens if the log file isn't there in the first place? While neologger will "wait" if the file disappears once it starts tailing it, it will gracefully exit if it's not initially there. NSSM will then try to restart neolog.exe using its throttling settings. This ensures that the service will loop neolog.exe, slowly, until the file appears again. During that time, the service is labeled as "Paused" in the service panel.
Going a step further with dependencies
The last step, which can be important for compliance reasons, is not only to help Neologger run reliably (which is done by configuring it as a service), but ensure that it always runs when your application runs, too. This is done with dependencies.
If your application doesn't run as a service, you're out of luck. But let's say MyApp runs under a Windows Service named MyApp-Service. It then becomes trivial to make MyApp-Service depend on MyApp-Syslog.
To change dependencies, you have to edit MyApp-Service directly. First, query MyApp-Service to see if it has other dependencies:
# sc qc MyApp-Service
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MyApp-Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\MyApp\MyApp.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MyApp Service
DEPENDENCIES : tcpip
You can see here that MyApp-Service depends on tcpip. It is important to keep this in mind. Next, change the dependencies on MyApp-Service by configuring it to depend on both tcpip and MyApp-Syslog. Note here that you have to explicitly state that tcpip is still a dependency, and separate it with a slash to add MyApp-Syslog.
# sc config MyApp-Service depend= tcpip/MyApp-Syslog
[SC] ChangeServiceConfig SUCCESS
# sc qc MyApp-Service
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MyApp-Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\MyApp\MyApp.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MyApp Service
DEPENDENCIES : tcpip
MyApp-Syslog
Once this is done, start MyApp-Service. You'll notice that it starts MyApp-Syslog automatically. The same logic applies if you stop MyApp-Syslog before MyApp-Service, both will stop at the same time.
Putting it all together
To conclude, let's restate what we just did. First, we used Neologger to tail a text file on Windows, generated by an application named MyApp and sent it, live, to a syslog server. Then, we used NSSM to configure Neologger as a Windows service to help us manage its startup and shutdown. Finally, we created a dependency between the service that runs MyApp and the new service we've just created, to reassure our compliance auditor that Neologger always runs when MyApp runs, too.
Good luck.
