Request trial
Request Trial

random extra comma showing up in Splunk

Tags:
#1 boostcreep

So I'm working on moving our logging away from SolarWinds and into nxlog. We like to punt off our logs to Splunk so that our security department can create dashboards and such for the events they care about. I've just about got the output perfect, besides ONE random extra comma and I can't figure out where it's coming from.

Here is my config:

define ROOT C:\Program Files (x86)\nxlog

define CERTDIR %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LOGFILE %ROOT%\data\nxlog.log LogLevel INFO

<Extension syslog> Module xm_syslog </Extension>

define MonitoredEventIDs 1100, 1102, 1104, 4608, 4609, 4624, 4625, 4634, 4647, 4648,
4656, 4658, 4659, 4660, 4661, 4662, 4663, 4664, 4670, 4672,
4673, 4724, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727,
4728, 4729, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739,
4740, 4766, 4767, 4768, 4776, 4781, 4801, 4825, 4907, 5136,
5137, 5139, 5141, 5145, 6416, 13002, 13003, 18500, 18502, 307

<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="Microsoft-Windows-PrintService/Operational"></Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%MonitoredEventIDs%) drop(); </Exec> </Input>

<Input GFI> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="GFI EndPointSecurity">*</Select> </Query> </QueryList> </QueryXML> </Input>

<Output out> Module om_udp Host 10.1.0.1 Port 514 Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ","); </Output>

<Route> Path eventlog, GFI => out </Route>

That creates this beautiful output in Splunk, except for the random extra comma before 'An account was logged off.' This single extra comma is throwing off the parsing of the logs that our customer receives and I need to get rid of it... Any advice?

Mar 1 21:58:26 mycomputer.com MSWinEventLog,1,Security,79,Mon Mar 01 14:58:26 2021,4634,Microsoft-Windows-Security-Auditing,N/A,N/A,Success Audit,mycomputer.com,Logoff,,An account was logged off. Subject: Security ID: S-1-5-21-2294171146-2094350030-1588952898-500 Account Name: pcgroup Account Domain: mycomputer Logon ID: 0x2D069A2F Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.,1023042

Permalink
#2 rafDeactivated Nxlog ✓
#1 boostcreep
So I'm working on moving our logging away from SolarWinds and into nxlog. We like to punt off our logs to Splunk so that our security department can create dashboards and such for the events they care about. I've just about got the output perfect, besides ONE random extra comma and I can't figure out where it's coming from. Here is my config: define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LOGFILE %ROOT%\data\nxlog.log LogLevel INFO <Extension syslog> Module xm_syslog </Extension> define MonitoredEventIDs 1100, 1102, 1104, 4608, 4609, 4624, 4625, 4634, 4647, 4648, 4656, 4658, 4659, 4660, 4661, 4662, 4663, 4664, 4670, 4672, 4673, 4724, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4766, 4767, 4768, 4776, 4781, 4801, 4825, 4907, 5136, 5137, 5139, 5141, 5145, 6416, 13002, 13003, 18500, 18502, 307 <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="Microsoft-Windows-PrintService/Operational"></Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%MonitoredEventIDs%) drop(); </Exec> </Input> <Input GFI> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="GFI EndPointSecurity">*</Select> </Query> </QueryList> </QueryXML> </Input> <Output out> Module om_udp Host 10.1.0.1 Port 514 Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ","); </Output> <Route> Path eventlog, GFI => out </Route> That creates this beautiful output in Splunk, except for the random extra comma before 'An account was logged off.' This single extra comma is throwing off the parsing of the logs that our customer receives and I need to get rid of it... Any advice? Mar 1 21:58:26 mycomputer.com MSWinEventLog,1,Security,79,Mon Mar 01 14:58:26 2021,4634,Microsoft-Windows-Security-Auditing,N/A,N/A,Success Audit,mycomputer.com,Logoff,,An account was logged off. Subject: Security ID: S-1-5-21-2294171146-2094350030-1588952898-500 Account Name: pcgroup Account Domain: mycomputer Logon ID: 0x2D069A2F Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.,1023042

Hi,

have you checked what data are in the input? Are we sure that the resulting "," appears after parsing in the core?

Thanks,
Rafal
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS