delete is not deleting fields from log
Hello everyone!
I would like to Delete EventTime Field from BIND log and not send it to remote SIEM Server
Here is a log example:
11-mai-2021 00:27:48.084 queries: info: client @0x7f82bc11d4e0 10.80.0.1#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88)
Unfortunately, it seems that i'm doing something wrong because "11-mai-2021 00:27:48.084" still persist in log
Here is my config:
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
<Extension _syslog> Module xm_syslog </Extension>
<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>
<Extension _exec> Module xm_exec </Extension>
<Input in1> Module im_file File 'C:\NXLOGTEST\fileTEST.log'
<Exec>
# 2. Parse BIND 9 metadata
if $Message =~ /(?x)^(?<EventTime>\S+\s\S+)\s(?<Category>\S+):\s
(?<BINDSeverity>[^:]+):\s(?<Message>.+)$/i
{
I TRIED ALSO LIKE THIS
delete($EventTime);
# 3. Parse messages from the queries category
if $Category == "queries"
{
$Message =~ /(?x)^client\s((?<ClientID>\S+)\s)?(?<Client>\S+)\s
\((?<OriginalQuery>\S+)\):\squery:\s
(?<QueryName>\S+)\s(?<QueryClass>\S+)\s
(?<QueryType>\S+)\s(?<QueryFlags>\S+)\s
\((?<LocalAddress>\S+)\)$/;
}
}
</Exec>
#NOW I HAVE IT CONFIGURED LIKE THIS
Exec delete($EventTime);
</Input>
<Output out1> Module om_udp Host 192.168.0.227 Port 514 </Output>
<Route r1> Path in1 => out1 </Route>
nxlog.log shows no errors, only this line after starting:
2021-05-11 19:57:20 INFO nxlog-ce-2.10.2150 started
Can anyone help me investigate?