Request trial
Request Trial

How to parse incoming syslog messages for specific string and write to separate file

Tags:
#1 bluelotus

I have nxlog configured to capture syslog messages and write them to a file and all is fine but now I would like the ability to parse for a specific string in the syslog message being received and then write those syslog messages to a separate file (nxdomain.log). For example, when receiving syslog messages that contain the string "NXDOMAIN", I want to then write that specific syslog message to a separate file just for those cases so I can track those specific messages and not have to later parse the daily log (log.txt) file.

How would I modify this configuration file to do just that?

define ROOT /usr/bin define FILENAME /logs/log.txt

Moduledir /usr/libexec/nxlog/modules CacheDir %ROOT%/data Pidfile %ROOT%/data/nxlog.pid SpoolDir /var/spool/nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO

<Extension xm_exec> Module xm_exec </Extension>

<Extension xm_fileop> Module xm_fileop </Extension>

<Extension syslog> Module xm_syslog </Extension>

<Input in> Module im_tcp Host 0.0.0.0 Port 514 Exec parse_syslog_bsd() ; </Input>

<Output out> Module om_file File "%FILENAME%" <Schedule> When @daily Exec file_rename ("%FILENAME%","%FILENAME%"+'.'+strftime(now(),"%Y%m%d"));
out->reopen(); </Schedule> </Output>

<Route 1> Path in => out

Permalink
#2 b0ti Nxlog ✓
#1 bluelotus
I have nxlog configured to capture syslog messages and write them to a file and all is fine but now I would like the ability to parse for a specific string in the syslog message being received and then write those syslog messages to a separate file (nxdomain.log). For example, when receiving syslog messages that contain the string "NXDOMAIN", I want to then write that specific syslog message to a separate file just for those cases so I can track those specific messages and not have to later parse the daily log (log.txt) file. How would I modify this configuration file to do just that? define ROOT /usr/bin define FILENAME /logs/log.txt Moduledir /usr/libexec/nxlog/modules CacheDir %ROOT%/data Pidfile %ROOT%/data/nxlog.pid SpoolDir /var/spool/nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO <Extension xm_exec> Module xm_exec </Extension> <Extension xm_fileop> Module xm_fileop </Extension> <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_tcp Host 0.0.0.0 Port 514 Exec parse_syslog_bsd() ; </Input> <Output out> Module om_file File "%FILENAME%" <Schedule> When @daily Exec file_rename ("%FILENAME%","%FILENAME%"+'.'+strftime(now(),"%Y%m%d")); out->reopen(); </Schedule> </Output> <Route 1> Path in => out

You could use xm_fileop for this with the following:

if $raw_event =~ /NXDOMAN/ file_write('/nxdomain.log', $raw_event);

The other option is to add another om_file instance and filter out everything that you don't want in the file.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS