Let's Talk
Let's Talk

Not enough fields in CSV input

View thread
rico.mueller (Last updated ) 
Hello,

im currently try to send logs from our Exchange Server to a log Collector.

Sadly when i check the NXlogs i see the error not enough fields in CSV Input. Dose anyone know what do in this case?

 

ERROR if-else failed at line 43, character 3 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 39, character 35 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 30, got 1 in input 

Configuration Code:

<Extension MessageTrackingLog>   Module      xm_csvFields   $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version    Delimiter   QuoteMethod None

#This sample nxlog.conf file can be used to collect the Exchange Message Tracking Log and send it to Cybereason XDRf.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
define CertDir C:\Program Files (x86)\nxlog\cert
 
#Define the modules that will be used by nxlog.
 
<Extension json>
    Module xm_json
</Extension>
 
<Extension _syslog>
    Module  xm_syslog
</Extension>
 
<Extension MessageTrackingLog>
    Module      xm_csv
	Fields 		$date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version
    	Delimiter   
	QuoteMethod	None
</Extension>
 
<Input in_MessageTrackingLog>
	Module  im_file
	File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
	InputType LineBased
	SavePos TRUE
	PollInterval 1
	<Exec>
		if $raw_event =~ /^#/ drop();
		else
		{
			MessageTrackingLog->parse_csv();
			$EventTime = parsedate($date + " " + $time);
            $SourceName = "MessageTrackingLog";				
            $raw_event = to_json();	
		}
	</Exec>
 </Input>
 
<Output out_MesssageTrackingLog>
    Module      om_udp
	#This is the IP address of the Cybereason XDR Collector
    Host        X.X.X.X
	#This is the port configured on the Universal Event Source
    Port        XXXX
</Output>
 
<Route 1>
   Path        in_MessageTrackingLog=>out_MesssageTrackingLog
</Route>

Thanks a lot :)