Transparent NXLog Relay for syslog B | Log collection solutions

#1 fbrollo 7 years ago

Hi everyone,

Here is a brief overview of what I'm trying to do:


            +----------+ tcp1514 +-----+  tcp514 +---------+
            |Originator|---->----|Relay|---->----|Collector|
            +----------+         +-----+  syslog +---------+
           192.168.56.10      192.168.56.18     192.168.56.14

Here is the message I get in RSA:

ReceivedTimeStamp RelayHostname [LogMessage]

I would like to have this

ReceivedTimeStamp OriginatorHostname [LogMessage]

I think I'm supposed to throw in an Exec: $Hostname=hostname(); somewhere, but where exactly ?

Here is what my conf files look like:

Originator:


<Input in>
    Module    im_file
    Recursive    TRUE
    File    'C:\\IIS\\*.log'
</Input>

<Output out>
    Module  om_tcp
    Host    192.168.56.18
    Port    1514
</Output>

<Route 1>
    Path    in => out
</Route>

Relay:


<Extension syslog>
    Module    xm_syslog
</Extension>

<Input in>
    Module im_tcp
    Port 1514
    Host 0.0.0.0
</Input>

<Output out>
    Module  om_tcp
    Host    192.168.56.14
    Port    514
    Exec    to_syslog_bsd();
</Output>
    
<Route 1>
    Path    in => out
</Route>

Thanks for your help.

Permalink

#2 adm Nxlog ✓ 7 years ago (Last updated 7 years ago )

#1 fbrollo

Hi everyone, Here is a brief overview of what I'm trying to do: +----------+ tcp1514 +-----+ tcp514 +---------+ |Originator|---->----|Relay|---->----|Collector| +----------+ +-----+ syslog +---------+ 192.168.56.10 192.168.56.18 192.168.56.14 Here is the message I get in RSA: ReceivedTimeStamp RelayHostname [LogMessage] I would like to have this ReceivedTimeStamp OriginatorHostname [LogMessage] I think I'm supposed to throw in an Exec: $Hostname=hostname(); somewhere, but where exactly ? Here is what my conf files look like: Originator: <Input in> Module im_file Recursive TRUE File 'C:\\IIS\\*.log' </Input> <Output out> Module om_tcp Host 192.168.56.18 Port 1514 </Output> <Route 1> Path in => out </Route> Relay: <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_tcp Port 1514 Host 0.0.0.0 </Input> <Output out> Module om_tcp Host 192.168.56.14 Port 514 Exec to_syslog_bsd(); </Output> <Route 1> Path in => out </Route> Thanks for your help.

to_syslog_bsd() will put the value of $Hostname in the generated syslog line. If it does not exist the local hostname is used. That's why you are seeing the relay's hostname there. To fix this you can:

add Exec parse_syslog() to your input so that $Hostname is filled,
remove to_syslog_bsd() so that the syslog data will be transferred unaltered.

In addition to the above since the data sent is not syslog you need to format it that way on the client:

<Output out>
   Module om_tcp
   Host 192.168.56.18
   Port 1514
   Exec $Message = raw_event; to_syslog_bsd();
</Output>