Regex and NXlog
#1
farrisk01
Given:
<Exec>
if ($EventID == 5156) OR ($EventID == 5158)
drop();
else if ($Channel == 'Security') and ($EventID == 4624)
$Message =~ s/\s*This event is generated when a logon session is created.*$//s;
else if ($Channel == 'Security') and ($EventID == 4634)
$Message =~ s/\s*This event is generated when a logon session is destroyed.*$//s;
# Update the $raw_event field
$raw_event = $EventTime + ' ' + $Message;
</Exec>;
If I understand this correctly when an eventID of 4624 or 4634 is received a substitution is performed on the message field and the orginal contents are replaced with nothing(null). Am I correct or at least close? If so, what is does 's' before the ';' mean?
#1
farrisk01
Given:
<Exec>
if ($EventID == 5156) OR ($EventID == 5158)
drop();
else if ($Channel == 'Security') and ($EventID == 4624)
$Message =~ s/\s*This event is generated when a logon session is created.*$//s;
else if ($Channel == 'Security') and ($EventID == 4634)
$Message =~ s/\s*This event is generated when a logon session is destroyed.*$//s;
# Update the $raw_event field
$raw_event = $EventTime + ' ' + $Message;
</Exec>;
If I understand this correctly when an eventID of 4624 or 4634 is received a substitution is performed on the message field and the orginal contents are replaced with nothing(null). Am I correct or at least close? If so, what is does 's' before the ';' mean?
Hi Kevin,
The character ";" is used to close a statement. it basically signifies the end of a statement. eg.
if $Hostname == 'Stagging-VM' drop();
$Server = 'My-Test-Server';
etc.
