using nxlog regex_replace - Page 1 | Log collection solutions

#1 Asaf Sobol 3 weeks ago

Hello,

im trying to use this function to hide filenames for windows event 4663 and attempt was made to access an object:

Exec if $raw_event =~ /Object Name.*\.[a-zA-Z0-9]+$/ {

# Replace file name with 'xxxxx' and keep the file extension intact

$raw_event = regex_replace($raw_event, '(Object Name.*\\)[^\\]+(\.[a-zA-Z0-9]+)', '\1xxxxx\2');

}

</Processor>

nxlog logs keeps telling im missing a module, is this function locked to the enterprise version ? is there another way around it ?

thanks in advance

Permalink

#2 alexander.lifanov@nxlog.org Nxlog ✓ 2 weeks ago (Last updated 2 weeks ago )

You use the <Processor> block without Module reference → https://docs.nxlog.co/userguide/configure/overview.html#modules

You need to do one of the following:

Add Module pm_null to <Processor xxx> block
Totally remove <Processor xxx> block and move <Exec> to input or output config - similar to https://docs.nxlog.co/ce/current/index.html#xm_syslog_example2