Using Nxlog as syslog forwarder | Log collection solutions

#1 jd01 3 years ago

I'm currently using nxlog to filter and forward syslog: Source => Filter Logs on intermediate server with nxlog installed => forward udp 514 (syslog).

Config looks like the following:

<Extension _syslog>
    Module      xm_syslog
</Extension>
#syslog to Nxlog01
<Input _sys_in>
    Module      im_udp
    Port        514
    <Exec>
        if (($Message =~ /REGEX/)
              or ($Message =~ /REGEX/))
                drop();
    </Exec>
    Exec if $MessageSourceAddress != "1.1.1.1" drop();
</Input>
<Processor _sys_norepeat>
    Module      pm_norepeat
    CheckFields Hostname, Message, SourceName
</Processor>
#Syslog Output to DST server
<Output _sys_out>
    Module      om_udp
    Host        dstserver_ip
    Port        514
    Exec        to_syslog_bsd();
</Output>
<Route Logs>
    Path        _sys_in => _sys_norepeat => _sys_out
</Route>

Firstly is this possible with the CE agent?

I already performed a tcpdump on the intermediate server where nxlog is installed and i can see the syslog being received but not sent after filtered. There is udp 514 connectivity between nxlog server and destination server.

I tried:

Removing all regex filtering (since i thought my regex wasn't good enough), no results.
Changed im_udp to im_tcp (i thought maybe you can't used the same port in both input and output modules).
Checked whether there actually is network connectivity between nxlog server and destination server using nc by sending a udp 514 packet to dst server.

Can anyone help with this?

Permalink

#2 manuel.munozDeactivated Nxlog ✓ 3 years ago

#1 jd01

I'm currently using nxlog to filter and forward syslog: Source => Filter Logs on intermediate server with nxlog installed => forward udp 514 (syslog). Config looks like the following: <Extension _syslog> Module xm_syslog </Extension> #syslog to Nxlog01 <Input _sys_in> Module im_udp Port 514 <Exec> if (($Message =~ /REGEX/) or ($Message =~ /REGEX/)) drop(); </Exec> Exec if $MessageSourceAddress != "1.1.1.1" drop(); </Input> <Processor _sys_norepeat> Module pm_norepeat CheckFields Hostname, Message, SourceName </Processor> #Syslog Output to DST server <Output _sys_out> Module om_udp Host dstserver_ip Port 514 Exec to_syslog_bsd(); </Output> <Route Logs> Path _sys_in => _sys_norepeat => _sys_out </Route> Firstly is this possible with the CE agent? I already performed a tcpdump on the intermediate server where nxlog is installed and i can see the syslog being received but not sent after filtered. There is udp 514 connectivity between nxlog server and destination server. I tried: Removing all regex filtering (since i thought my regex wasn't good enough), no results. Changed im_udp to im_tcp (i thought maybe you can't used the same port in both input and output modules). Checked whether there actually is network connectivity between nxlog server and destination server using nc by sending a udp 514 packet to dst server. Can anyone help with this?

It seems you are missing a parse_syslog(); call...

    <Exec>
        HERE!!!
        if (($Message =~ /REGEX/)