Insert custom text into log (raw event) | Log collection solutions

#1 MAXIMUSLOLOL 1 week ago (Last updated 1 week ago )

Hi,

I am trying to insert a custom, static text into the raw event (so that the output has the custom text + the log). However, it refuses to work. The log output is the same whether I add or remove my exec $raw_event

My config input and output look like this:


<Input in>
Module      im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='System'></Select>
<Select Path='Application'></Select>
<Select Path='Security'>*</Select>
</Query>
</QueryList>
</QueryXML>
Exec $raw_event = "STATIC CONTENT" + $raw_event;
</Input>
<Output out>
Module      om_udp
Host        XX.XX.XX.XX
Port        514
Exec        to_syslog_snare();
</Output>
<Route 1>
Path        in => out
</Route>

Logs:

2025-02-12 11:09:20 INFO nxlog-ce-3.2.2329 started

Permalink

#2 MAXIMUSLOLOL 1 week ago

Found the issue.

This:

Exec $raw_event = "STATIC CONTENT" + $raw_event;

Should be placed under the convertion to syslog.

Exec        to_syslog_snare();