perl_call() method is not working in windows 11


#1 Ankur Gangwar

Purpose: To add geographical information (geoip) with the logs.

Problem: I am trying to add geoip in the logs coming from linux and windows hosts. For that I have gone through https://docs.nxlog.co/ce/current/index.html#xm_perl. In both (windows and linux hosts). i am not able to run nxlog, after modifying the nxlog config according to the given link.

Windows-11: First, I have installed perl-5.28.2.1, after that i have modified the config. When i am trying to restart nxlog service, It is showing the following error in log file:

2023-12-04 07:09:22 ERROR Failed to load module from C:\Program Files\nxlog\modules\extension\xm_perl.dll, The specified module could not be found.  ; The specified module could not be found.  
2023-12-04 07:09:22 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:62; couldn't parse statement at line 65, character 0 in C:\Program Files\nxlog\conf\nxlog.conf; function 'perl_call()' does not exist or takes different arguments
2023-12-04 07:09:22 ERROR module 'sys_in' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:81
2023-12-04 07:09:22 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:81
2023-12-04 07:09:22 WARNING no routes defined!
2023-12-04 07:09:22 WARNING not starting unused module sys_in
2023-12-04 07:09:22 WARNING not starting unused module sys_out

config is as follows:

Panic Soft
#NoFreeOnExit TRUE
define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data
include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data
<Extension _syslog>
   Module      xm_syslog
</Extension>
<Extension _json>
   Module      xm_json
</Extension>
<Extension _charconv>
   Module      xm_charconv
   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
   Module      xm_exec
</Extension>
<Extension perl>
   Module      xm_perl
   PerlCode    C:\Program Files\nxlog\modules\extension\perl\processlogs.pl
</Extension>
<Extension _fileop>
   Module      xm_fileop
   # Check the size of our log file hourly, rotate if larger than 5MB
   <Schedule>
       Every   1 hour
       Exec    if (file_exists('%LOGFILE%') and \
                  (file_size('%LOGFILE%') >= 5M)) \
                   file_cycle('%LOGFILE%', 8);
   </Schedule>
   # Rotate our log file every week on Sunday at midnight
   <Schedule>
       When    @weekly
       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
   </Schedule>
</Extension>

Sending the system logs over tcp

<Input sys_in> Module im_msvistalog <Exec> $raw_event = "windows " + to_json(); perl_call("process") </Exec> </Input> #setting the output to rsyslog server <Output sys_out> Module om_tcp Host <ip-address of rsyslog server> Port 514 # First we parse the input natively from nxlog Exec parse_syslog_bsd(); # Now call the 'process' subroutine defined in 'processlogs.pl' Exec to_json(); </Output> <Route 1> Path sys_in => sys_out </Route>

Linux-Ubuntu(22.04): I have not installed perl as it is already installed. So i modified the config, and restarted the nxlog service, but in the logs it is showing as:

2023-12-04 14:41:52 ERROR the perl interpreter failed to parse /etc/nxlog/processlogs.pl
2023-12-04 14:41:52 INFO nxlog-ce-3.2.2329 started
2023-12-04 14:41:52 INFO connecting to <ip-address of rsyslog server>:514
2023-12-04 14:41:52 ERROR the perl interpreter failed to parse /etc/nxlog/processlogs.pl

Config is as follows:

## This is a sample configuration file. See the nxlog reference manual about the

configuration options. It should be installed locally under

/usr/share/doc/nxlog-ce/ and is also available online at

http://nxlog.org/docs

########################################

Global directives

######################################## User nxlog Group nxlog include /etc/nxlog/nxlog.d/*.conf LogFile /var/log/nxlog/nxlog.log LogLevel INFO ########################################

Modules

######################################## <Extension _syslog> Module xm_syslog </Extension> <Extension perl> Module xm_perl PerlCode /etc/nxlog/processlogs.pl </Extension> <Input in1> Module im_file File "/var/log/auth.log" <Exec> $raw_event = " ankurlapauthlogs " + $raw_event; </Exec> </Input> <Output fileout1> Module om_tcp Host <ip-address of rsyslog server> Port 514 Exec perl_call("process"); Exec to_syslog_bsd(); </Output> ########################################

Routes

######################################## <Route 1> Path in1 => fileout1 </Route>

P.S. i am using the same processlogs.pl file as given in the refrence manual.