Not enough fields in CSV input - Page 1 | Log collection solutions

#1 rico.mueller 1 year ago (Last updated 1 year ago )

Hello,

im currently try to send logs from our Exchange Server to a log Collector.

Sadly when i check the NXlogs i see the error not enough fields in CSV Input. Dose anyone know what do in this case?

ERROR if-else failed at line 43, character 3 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 39, character 35 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 30, got 1 in input

Configuration Code:

<Extension MessageTrackingLog> Module xm_csvFields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version Delimiter QuoteMethod None

#This sample nxlog.conf file can be used to collect the Exchange Message Tracking Log and send it to Cybereason XDRf.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
define CertDir C:\Program Files (x86)\nxlog\cert
#Define the modules that will be used by nxlog.
<Extension json>
Module xm_json
</Extension>
<Extension _syslog>
Module  xm_syslog
</Extension>
<Extension MessageTrackingLog>
Module      xm_csv
Fields 		$date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version
Delimiter

QuoteMethod	None
</Extension>
<Input in_MessageTrackingLog>
Module  im_file
File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
InputType LineBased
SavePos TRUE
PollInterval 1
<Exec>
if $raw_event =~ /^#/ drop();
else
{
MessageTrackingLog->parse_csv();
$EventTime = parsedate($date + " " + $time);
$SourceName = "MessageTrackingLog";				
$raw_event = to_json();	
}
</Exec>
</Input>
<Output out_MesssageTrackingLog>
Module      om_udp
#This is the IP address of the Cybereason XDR Collector
Host        X.X.X.X
#This is the port configured on the Universal Event Source
Port        XXXX
</Output>
<Route 1>
Path        in_MessageTrackingLog=>out_MesssageTrackingLog
</Route>

Thanks a lot :)

Permalink

#2 NenadMDeactivated Nxlog ✓ 1 year ago

I guess your log delimiter is an whitespace character. Try specifying the Delimiter in the xm_csv module like this:

<Extension MessageTrackingLog>
  Module        xm_csv
  Fields 		$date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version
  Delimiter      " "
  QuoteMethod	 None
</Extension>