Cannot parse properly Exchange # lines | Log collection solutions

#1 Pepper 7 years ago

I do use NXLog to parse the Exchange logs and send them to my Graylog. Time to time, Graylog still receive the line #Software: Microsoft Exchange...

Note that the line is sent once per hours or two hours.

It seems that the check if $raw_event =~ /^#/ drop(); fail to drop the #line randomly.

Bellow part of my config for the input:

Module     im_file
File     "\\\\xxxxxxx\\d$\\Exchsvr\\TransportRoles\\Logs\\\MessageTracking\\\\*.log"
SavePos    TRUE
   ReadFromLast    TRUE
   Recursive       TRUE
   CloseWhenIdle TRUE
InputType    LineBased
   PollInterval 10

   Exec if $raw_event =~ /HealthMailbox/ drop();
   Exec if $raw_event =~ /^#/ drop();
   Exec ParseEXCHANGESMSGTRK->parse_csv();

</Input>

Any clue, help or solution is welcome

Permalink

#2 b0ti Nxlog ✓ 7 years ago (Last updated 7 years ago )

#1 Pepper

I do use NXLog to parse the Exchange logs and send them to my Graylog. Time to time, Graylog still receive the line #Software: Microsoft Exchange... Note that the line is sent once per hours or two hours. It seems that the check if $raw_event =~ /^#/ drop(); fail to drop the #line randomly. Bellow part of my config for the input: <Input in_MSGTRK> Module im_file File "\\\\xxxxxxx\\d$\\Exchsvr\\TransportRoles\\Logs\\\MessageTracking\\\\*.log" SavePos TRUE ReadFromLast TRUE Recursive TRUE CloseWhenIdle TRUE InputType LineBased PollInterval 10 Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); Exec ParseEXCHANGESMSGTRK->parse_csv(); </Input> Any clue, help or solution is welcome

Can you check that the files don't contain a UTF-8 BOM header?

If you can confirm that the EE trial is also affected (i.e. this is some bug still lurking in there) then please create a reproducible test case including a full config file and input samples and open a support ticket.