Timestamps sent out by NXLog are wrong
I'm getting in syslog info from network devices. It looks like this:
id=scsonicwall sn=18B169F5XXXX time="2020-08-24 19:32:49" fw=64.20.130.54 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=00:01:5c:71:c6:46 src=173.188.249.226:58706:X1 srcZone=Untrusted natSrc=173.188.249.226:58706 dstMac=00:50:56:80:66:a6 dst=10.10.12.5:443:X0 dstZone=Trusted natDst=X.x.x.x:443 proto=tcp/https sent=920 rcvd=3262 spkt=10 rpkt=6 cdur=666 rule="14 (WAN->LAN)" app=11 n=2617279 fw_action="NA" dpi=0
When NXLog is relaying this out to Loggly, it's boogering up the timestamps:
<134>1 2020-12-31T19:00:00.000000-05:00 10.10.12.1 - - - [XXXXXX@41058 tag="windows"] {"MessageSourceAddress":"10.10.12.1","EventReceivedTime":"2020-08-24 20:05:06","SourceModuleName":"udp","SourceModuleType":"im_udp","SyslogFacilityValue":16,"SyslogFacility":"LOCAL0","SyslogSeverityValue":6,"SyslogSeverity":"INFO","SeverityValue":2,"Severity":"INFO","Hostname":"10.10.12.1","EventTime":"2020-12-31 19:00:00","Message":"id=scsonicwall sn=18B169F52958 time="2020-08-24 20:05:06" fw=X.X.X.X pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=206.74.83.165:61555:X1 natSrc=206.74.83.165:61555 dst=10.10.12.5:443:X0 natDst=X.X.X.X:443 proto=tcp/https sent=52 app=11 n=131486 fw_action="NA" dpi=0"}
Note the the "time" field internal to the message is correct, but the EventTime and the timestamp at the beginning of the message are completely wrong.
My config is below. What do I need to do to fix this?
This is a sample NXLog configuration file created by Loggly. June 2013
See the nxlog reference manual about the configuration options.
It should be installed locally and is also available
online at https://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
Please set the ROOT to the folder your nxlog was installed into,
otherwise it will not start.
#define ROOT C:\Program Files\nxlog #define ROOT_STRING C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define ROOT_STRING C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
Include fileop while debugging, also enable in the output module below
<Extension fileop> Module xm_fileop </Extension>
<Extension json> Module xm_json </Extension>
<Extension syslog> Module xm_syslog </Extension>
<Input internal> Module im_internal Exec $Message = to_json(); </Input>
Windows Event Log
#<Input eventlog>
Uncomment im_msvistalog for Windows Vista/2008 and later
#Module im_msvistalog
#Uncomment im_mseventlog for Windows XP/2000/2003 #Module im_mseventlog #Exec $Message = to_json(); #</Input>
<Processor buffer> Module pm_buffer
100Mb disk buffer
MaxSize 102400 Type disk </Processor>
<Input udp> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog_ietf(); Exec $Message = to_json();
</Input>
<Output out> Module om_tcp Host logs-01.loggly.com Port 514
Exec to_syslog_ietf(); $raw_event =~ s/\[NXLOG.*?\]/\[XXXXXXXXXXXX@41058 tag="windows"\]/g;
</Output>
<Route 1> Path udp, internal => buffer => out </Route>