Not enough fields in CSV input


#1 rico.mueller (Last updated )
Hello,

im currently try to send logs from our Exchange Server to a log Collector.

Sadly when i check the NXlogs i see the error not enough fields in CSV Input. Dose anyone know what do in this case?

 

ERROR if-else failed at line 43, character 3 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 39, character 35 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 30, got 1 in input 

Configuration Code:

<Extension MessageTrackingLog>   Module      xm_csvFields   $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version    Delimiter   QuoteMethod None

#This sample nxlog.conf file can be used to collect the Exchange Message Tracking Log and send it to Cybereason XDRf.

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log define CertDir C:\Program Files (x86)\nxlog\cert

#Define the modules that will be used by nxlog.

<Extension json> Module xm_json </Extension>

<Extension _syslog> Module xm_syslog </Extension>

<Extension MessageTrackingLog> Module xm_csv Fields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version Delimiter
QuoteMethod None </Extension>

<Input in_MessageTrackingLog> Module im_file File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG' InputType LineBased SavePos TRUE PollInterval 1 <Exec> if $raw_event =~ /^#/ drop(); else { MessageTrackingLog->parse_csv(); $EventTime = parsedate($date + " " + $time); $SourceName = "MessageTrackingLog"; $raw_event = to_json(); } </Exec> </Input>

<Output out_MesssageTrackingLog> Module om_udp #This is the IP address of the Cybereason XDR Collector Host X.X.X.X #This is the port configured on the Universal Event Source Port XXXX </Output>

<Route 1> Path in_MessageTrackingLog=>out_MesssageTrackingLog </Route>

Thanks a lot :)

#2 NenadM Nxlog ✓

I guess your log delimiter is an whitespace character. Try specifying the Delimiter in the xm_csv module like this:
 

<Extension MessageTrackingLog>
  Module        xm_csv
  Fields 		$date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version
  Delimiter      " "
  QuoteMethod	 None
</Extension>