Request trial
Request Trial

run bash script when ERROR spotted in logs in nxlog

Tags:
#1 Rafalf

I am trying to run a script every time an error is found in logs

<Extension _exec>
    Module  xm_exec
</Extension>

<Input in>
    Module  im_file
    File    "/home/rafal/gitprojects/mst-sender/hub.cloudradar-error.log"
        <Exec>
        if $raw_event =~ /(\S+)\ (.+) \[ERROR (.+)/
        {
                exec_async("/bin/sh", "/home/rafal/gitprojects/mst-sender/run.sh");
        }

        </Exec>
</Input>

From the documentation it looks like it should exec async if regex matches but I am seeing only the following log WARNING not starting unused module in and the script is not executed. I don't need to output it, only run that script.

I added a route but this aint helping too

<Output out1>
    Module  om_null
</Output>

<Route 1>
    # Basic route
    Path    in => out1
</Route>

I created another config file as follows just to log a warning but again its not getting executed

define ACTION { log_warning("dropping message"); drop(); }

<Extension _exec>
    Module  xm_exec
</Extension>

<Input in>
    Module  im_file
    File    'D:\mst-sender\hub.cloudradar-error.log'
    Exec    if $raw_event =~ /ERROR/ %ACTION%
</Input>

<Output out1>
    Module  om_null
</Output>

<Route 1>
    # Basic route
    Path    in => out1
</Route>

and here is my config file

04/Apr/2020:20:55:33 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96
04/Apr/2020:20:55:33 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96

UPDATE

I found the problem. It's a silly mistake of mine You need to make changes in the log file to see the log lines being parsed.

Permalink
#2 MisazivDeactivated Nxlog ✓
#1 Rafalf
I am trying to run a script every time an error is found in logs <Extension _exec> Module xm_exec </Extension> <Input in> Module im_file File "/home/rafal/gitprojects/mst-sender/hub.cloudradar-error.log" <Exec> if $raw_event =~ /(\S+)\ (.+) \[ERROR (.+)/ { exec_async("/bin/sh", "/home/rafal/gitprojects/mst-sender/run.sh"); } </Exec> </Input> From the documentation it looks like it should exec async if regex matches but I am seeing only the following log WARNING not starting unused module in and the script is not executed. I don't need to output it, only run that script. I added a route but this aint helping too <Output out1> Module om_null </Output> <Route 1> # Basic route Path in => out1 </Route> I created another config file as follows just to log a warning but again its not getting executed define ACTION { log_warning("dropping message"); drop(); } <Extension _exec> Module xm_exec </Extension> <Input in> Module im_file File 'D:\mst-sender\hub.cloudradar-error.log' Exec if $raw_event =~ /ERROR/ %ACTION% </Input> <Output out1> Module om_null </Output> <Route 1> # Basic route Path in => out1 </Route> and here is my config file 04/Apr/2020:20:55:33 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice: Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96 04/Apr/2020:20:55:33 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice: Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96 UPDATE I found the problem. It's a silly mistake of mine You need to make changes in the log file to see the log lines being parsed.

Hi,

In this config:

define ACTION { log_warning("dropping message"); drop(); }

<Extension _exec>
    Module  xm_exec
</Extension>

<Input in>
    Module  im_file
    File    'D:\mst-sender\hub.cloudradar-error.log'
    Exec    if $raw_event =~ /ERROR/ %ACTION%
</Input>

<Output out1>
    Module  om_null
</Output>

<Route 1>
    # Basic route
    Path    in => out1
</Route>

You are missing the ; in this line: Exec if $raw_event =~ /ERROR/ %ACTION%

Also, for test purposes, you can set it to log errors to a file using om_file, that way you can confirm that your regex is working and picking up events.

I hope this is good enough to get you going.

~MisaZ
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS