NXLog search
Let's talk Start free
Let's talk Start free

Send from hostname to folder

Tags:
#1 djmilestone

Hi all,

NXLOG newbie. I'm trying to inject logs from a specific hostname into a specific folder. For example:

if hostname = x then store log in folder = y

I'm running a very bare-bones set up. I'd like to use the FQDN as the variable for hostname rather than an IP. Current config:

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data

define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
&lt;Schedule&gt;
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') &gt;= 5M)) \
                file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

# Rotate our log file every week on Sunday at midnight
&lt;Schedule&gt;
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

</Extension>

<Extension syslog> Module xm_syslog </Extension>

<Extension fileop> Module xm_fileop </Extension>

<Input udp> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog(); </Input>

<Output file> Module om_file File "C:/Syslogs/nxlog/" + $HostName + "/" + $HostName + ".log" CreateDir TRUE <Exec> if file_size("C:/Syslogs/nxlog/" + $HostName + "/" + $HostName + ".log") > 10M { file_cycle("C:/Syslogs/nxlog/" + $HostName + "/" + $HostName + ".log",2); reopen(); } </Exec> </Output>

<Route 1> Path udp => file </Route>

Snare compatible example configuration

Collecting event log

<Input in>

Module im_msvistalog

</Input>

Converting events to Snare format and sending them out over TCP syslog

<Output out>

Module om_tcp

Host 192.168.1.1

Port 514

Exec to_syslog_snare();

</Output>

Connect input 'in' to output 'out'

<Route 1>

Path in => out

</Route>

Permalink
#2 KlevinDeactivated Nxlog ✓
#1 djmilestone
Hi all, NXLOG newbie. I'm trying to inject logs from a specific hostname into a specific folder. For example: if hostname = x then store log in folder = y I'm running a very bare-bones set up. I'd like to use the FQDN as the variable for hostname rather than an IP. Current config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Extension syslog> Module xm_syslog </Extension> <Extension fileop> Module xm_fileop </Extension> <Input udp> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog(); </Input> <Output file> Module om_file File "C:/Syslogs/nxlog/" + $HostName + "/" + $HostName + ".log" CreateDir TRUE <Exec> if file_size("C:/Syslogs/nxlog/" + $HostName + "/" + $HostName + ".log") > 10M { file_cycle("C:/Syslogs/nxlog/" + $HostName + "/" + $HostName + ".log",2); reopen(); } </Exec> </Output> <Route 1> Path udp => file </Route> Snare compatible example configuration Collecting event log <Input in> Module im_msvistalog </Input> Converting events to Snare format and sending them out over TCP syslog <Output out> Module om_tcp Host 192.168.1.1 Port 514 Exec to_syslog_snare(); </Output> Connect input 'in' to output 'out' <Route 1> Path in => out </Route>

Hello Sir,

You can use the following line to define a hostname variable

Exec       $Hostname = hostname();

In the case the devices are server-less you can use xm_resolver but this is available for NXLog Enterprise Edition.

Sincerely Klevin
Login to see more