Exchange 2016 Message Tracking log config assistance

Tags:

#1 jdalyasc
I am trying to use NXlog CE to forward Exchange 2016 message tracking logs via syslog. I am trying to use the example shown here https://nxlog.co/documentation/nxlog-user-guide#exchange_transport_logs When I create the conf file and attempt to run it the service starts but there are several errors logged in the nxlog.log file. My config file is as follows ``` Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_syslog define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15 Module xm_csv Fields date-time, client-ip, client-hostname, server-ip, server-hostname, \ source-context, connector-id, source, event-id, \ internal-message-id, message-id, network-message-id, \ recipient-address, recipient-status, total-bytes, recipient-count, \ related-recipient-address, reference, message-subject, \ sender-address, return-path, message-info, directionality, \ tenant-id, original-client-ip, original-server-ip, custom-data, \ transport-traffic-type, log-id, schema-version Module im_file File '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG' if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop(); else { csv_parser->parse_csv(); $EventTime = parsedate(${date-time}); } Module om_udp Host 10.1.1.1 Port 514 Exec to_syslog_snare(); Path messagetracking => out1 ``` The errors logged in the nxlog.log file are as follows. ``` 2018-07-12 18:06:10 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:39; couldn't parse statement at line 44, character 36 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; invalid character: '$' (0x24) 2018-07-12 18:06:10 ERROR module 'messagetracking' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59 2018-07-12 18:06:10 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59 2018-07-12 18:06:10 WARNING no routes defined! 2018-07-12 18:06:10 WARNING not starting unused module messagetracking 2018-07-12 18:06:10 WARNING not starting unused module out1 2018-07-12 18:06:10 INFO nxlog-ce-2.10.2102 started ``` I have yet to come across a working example of how to forward exchange logs and was hoping someone may be able to assist. I cant see what i am missing here.
#2 Zhengshi Nxlog ✓
#1 jdalyasc
I am trying to use NXlog CE to forward Exchange 2016 message tracking logs via syslog. I am trying to use the example shown here https://nxlog.co/documentation/nxlog-user-guide#exchange_transport_logs When I create the conf file and attempt to run it the service starts but there are several errors logged in the nxlog.log file. My config file is as follows Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension syslog> Module xm_syslog </Extension> define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15 <Extension csv_parser> Module xm_csv Fields date-time, client-ip, client-hostname, server-ip, server-hostname, \ source-context, connector-id, source, event-id, \ internal-message-id, message-id, network-message-id, \ recipient-address, recipient-status, total-bytes, recipient-count, \ related-recipient-address, reference, message-subject, \ sender-address, return-path, message-info, directionality, \ tenant-id, original-client-ip, original-server-ip, custom-data, \ transport-traffic-type, log-id, schema-version </Extension> <Input messagetracking> Module im_file File '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG' <Exec> if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop(); else { csv_parser->parse_csv(); $EventTime = parsedate(${date-time}); } </Exec> </Input> <Output out1> Module om_udp Host 10.1.1.1 Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path messagetracking => out1 </Route> The errors logged in the nxlog.log file are as follows. 2018-07-12 18:06:10 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:39; couldn't parse statement at line 44, character 36 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; invalid character: '$' (0x24) 2018-07-12 18:06:10 ERROR module 'messagetracking' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59 2018-07-12 18:06:10 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59 2018-07-12 18:06:10 WARNING no routes defined! 2018-07-12 18:06:10 WARNING not starting unused module messagetracking 2018-07-12 18:06:10 WARNING not starting unused module out1 2018-07-12 18:06:10 INFO nxlog-ce-2.10.2102 started I have yet to come across a working example of how to forward exchange logs and was hoping someone may be able to assist. I cant see what i am missing here.

Your current problem lies in the ${date-time} portion. While this is supported in the EE version, it is not in the CE version as of yet.
Hyphens (-) are not supported in field names currently, I would rename them to date_time and then call them as $date_time.