Module xm_syslog with delimiter | Log collection solutions

#1 _omar_ 6 years ago

Hello:

I have a week trying to replace the default TAB delimiter for comma, so far I got this:

<Extension _syslog>
    Module      xm_syslog
	Delimiter 	,
</Extension>

<Input in>
    Module      im_msvistalog
</Input>

<Output out>
    Module      om_tcp
    Host        192.168.1.2
    Port        514
    Exec        to_syslog_snare();
</Output>

<Route 1>
    Path        in => out
</Route>

I also try changing , for 0x2C Sadly doesn't work, all I can see is the delimiter change for a extrange character <NULL>. I'm using the latest community version. I really hope that someone help me with a clear answer.

Permalink

#2 b0ti Nxlog ✓ 6 years ago

#1 _omar_

Hello: I have a week trying to replace the default TAB delimiter for comma, so far I got this: <Extension _syslog> Module xm_syslog Delimiter , </Extension> <Input in> Module im_msvistalog </Input> <Output out> Module om_tcp Host 192.168.1.2 Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route> I also try changing , for 0x2C Sadly doesn't work, all I can see is the delimiter change for a extrange character <NULL>. I'm using the latest community version. I really hope that someone help me with a clear answer.

I don't think Delimiter is a valid configuration option for xm_syslog. As suggested before there is a SnareDelimiter configuration option supported by the NXLog EE.

Alternatively you can use the following with the NXLog CE to manually replace the tabs:

Exec to_syslog_snare(); $raw_event = replace($raw_event, "\t", ';');