03/08/20 Notes
Logging Puppet Events from A windows Puppet Client Using NXLog
By default the Windows Puppet agent logs events to the Windows Application Log. To split the Puppet agent log into a separate file create the below registry key. Note, this requires a reboot to take effect.
reg add HKLM\System\CurrentControlSet\Services\EventLog\Puppet\Puppet /v EventMessageFile /t REG_EXPAND_SZ /d "C:\Program Files\Puppet Labs\Puppet\puppet\bin\puppetres.dll"
You can view the Puppet events in event viewer under "Application and Services Log". File location is C:\Windows\System32\winevt\Logs\Puppet.evtx.
In order for NXLog to read an evtx file your nxlog.conf file needs to have the im_msvistalog module with QueryXML.
The key sections are listed below. Note the use of to_syslog_bsd in Output:
<Input puppetlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Puppet'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output tcp>
Module om_tcp
Host 192.168.102.52
Port 514
Exec to_syslog_bsd();
</Output>
<Route messages_to_tcp>
Path puppetlog => tcp
</Route>
Below is a manifest I used to configure these settings on a Windows box using an inline template (note the \\n escape characters I have had to use for example in C:\Program Files (x86)\\nxlog.)
node 'DESKTOP-BLAH' {
$config = "Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Input puppetlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Puppet'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output tcp>
Module om_tcp
Host 192.168.102.52
Port 514
Exec to_syslog_bsd();
</Output>
<Route messages_to_tcp>
Path puppetlog => tcp
</Route>"
file { 'C:/Program Files (x86)/nxlog/conf/nxlog.conf':
ensure => file,
content => inline_template($config),
notify => Service['nxlog'],
}
service { 'nxlog':
ensure => 'running',
enable => 'true',
subscribe => File['C:/Program Files (x86)/nxlog/conf/nxlog.conf'],
}
exec { 'Create Puppet Log':
path => 'C:\windows\system32',
command => 'cmd.exe /c reg add HKLM\System\CurrentControlSet\Services\EventLog\Puppet\Puppet /v EventMessageFile /t REG_EXPAND_SZ /d "C:\Program Files\Puppet Labs\Puppet\puppet\bin\puppetres.dll" && shutdown /r /t 60',
unless => 'cmd.exe /c reg query HKLM\System\CurrentControlSet\Services\EventLog\Puppet\Puppet',
}
}