Transformation of logs from json to kvp | Log collection solutions

#1 giuseppe 1 year ago

Hello everyone,

We should log on Windows server some IIS and SQL Server logs via agent in Community Edition. Through documentation I have examples that produce as results logs in csv and/or json format.Could you give me a hand in transforming the logs from json and/or csv format to key-value (kvp)

Thank you very much for the support.

Permalink

#2 NenadMDeactivated Nxlog ✓ 1 year ago (Last updated 1 year ago )

Hello,

please check the following configuration:

<Extension _syslog>
    Module  xm_syslog
</Extension>
<Extension exec>
Module        xm_exec
</Extension>
<Extension json>
Module          xm_json
</Extension>
This block rotates %MYLOGFILE% on a schedule. Note that if LogFile
is changed in managed.conf via NXLog Manager, rotation of the new
file should also be configured there.
# Check the size of our log file hourly, rotate if larger than 5MB
<Extension xm_fileop>
Module    xm_fileop
<Schedule>
Every   1 hour
<Exec>
if ( file_exists('%TESTLOGFILE%') and
(file_size('%TESTLOGFILE%') >= 1000M) )
{
file_cycle('%TESTLOGFILE%', 8);
}
</Exec>
</Schedule>
</Extension>
<Extension kvp>
Module          xm_kvp
KVPDelimiter    ,
KVDelimiter     =
EscapeChar      \
ValueQuoteChar  "
</Extension>
<Extension json>
Module          xm_json
</Extension>
<Input sidewinder>
Module      im_tcp
ListenAddr  0.0.0.0:514
Exec        parse_json(); kvp->to_kvp();
</Input>
<Output file>
Module   om_file
File     "/srv/output"
</Output>
<Route file_to_syslog>
Path        sidewinder => file
</Route>