NXLogs and WIndows Firewall Log FIle
Hi. I am relatively new to nxlog and I hope the community can help me with my question. I have on a Windows Server an Windows Firewall Log File and following nxlog configuration:
<Input in> Module im_file File "C:\Windows\system32\LogFiles\Firewall\pfirewall.log" SavePos TRUE ReadFromLast TRUE parse_syslog_ietf(); </Input>
<Output out> Module om_tcp Host 3.125.146.97:514 #Exec to_syslog_ietf(); </Output>
<Route 1> Path in => out </Route>
So far so good. The logs I receive are now as following:
<13>1 2022-07-08T13:44:08+00:00 ec2-3-66-101-32 1 - - - 2022-07-08T15:44:17.208477+02:00 WINFS02 - - - [NXLOG@14506 EventReceivedTime="2022-07-08 15:44:17" SourceModuleName="in" SourceModuleType="im_file"] 2022-07-08 15:44:18 ALLOW TCP X.X.X.X Y.Y.Y.Y 43031 Z 0 - 0 0 0 - - - RECEIVE
Can I shorten the message, that I receive just the end of the message?
2022-07-08 15:44:18 ALLOW TCP X.X.X.X Y.Y.Y.Y 43031 Z 0 - 0 0 0 - - - RECEIVE
First, it sounds like you just want the log back in RAW format. If so, then remove the statement ‘parse_syslog_ietf()’
Per NXLog’s documentation, the ietf adds the following items in parsing. *PRI: Message Priority *VERSION: Syslog format version *TIMESTAMP: YYYY-MM-DDTHH:MM:SS.000000Z (or specified time zone) *HOSTNAME *APP-NAME: Device or Application that generated the message *PROCID: Process ID *MSGID: Message type
From the examples in the documentation and my own experience, the RAW log is then attached to the end of the parsed information. – So, by not running the parser, you should be back where you wanted to be.
I am referencing: https://docs.nxlog.co/userguide/integrate/syslog.html
I hope I didn't misunderstand your question.
