Using Nxlog as syslog forwarder
I'm currently using nxlog to filter and forward syslog: Source => Filter Logs on intermediate server with nxlog installed => forward udp 514 (syslog).
Config looks like the following:
<Extension _syslog>
Module xm_syslog
</Extension>
#syslog to Nxlog01
<Input _sys_in>
Module im_udp
Port 514
<Exec>
if (($Message =~ /REGEX/)
or ($Message =~ /REGEX/))
drop();
</Exec>
Exec if $MessageSourceAddress != "1.1.1.1" drop();
</Input>
<Processor _sys_norepeat>
Module pm_norepeat
CheckFields Hostname, Message, SourceName
</Processor>
#Syslog Output to DST server
<Output _sys_out>
Module om_udp
Host dstserver_ip
Port 514
Exec to_syslog_bsd();
</Output>
<Route Logs>
Path _sys_in => _sys_norepeat => _sys_out
</Route>
Firstly is this possible with the CE agent?
I already performed a tcpdump on the intermediate server where nxlog is installed and i can see the syslog being received but not sent after filtered. There is udp 514 connectivity between nxlog server and destination server.
I tried:
-
Removing all regex filtering (since i thought my regex wasn't good enough), no results.
-
Changed im_udp to im_tcp (i thought maybe you can't used the same port in both input and output modules).
-
Checked whether there actually is network connectivity between nxlog server and destination server using nc by sending a udp 514 packet to dst server.
Can anyone help with this?
It seems you are missing a parse_syslog();
call...
<Exec>
HERE!!!
if (($Message =~ /REGEX/)