Exchange 2016 Message Tracking log config assistance | View post

jdalyasc 5 years ago

I am trying to use NXlog CE to forward Exchange 2016 message tracking logs via syslog. I am trying to use the example shown here

https://nxlog.co/documentation/nxlog-user-guide#exchange_transport_logs

When I create the conf file and attempt to run it the service starts but there are several errors logged in the nxlog.log file.

My config file is as follows

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension syslog>
 Module xm_syslog
</Extension>

define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension csv_parser>
    Module      xm_csv
    Fields      date-time, client-ip, client-hostname, server-ip, server-hostname, \
                source-context, connector-id, source, event-id, \
                internal-message-id, message-id, network-message-id, \
                recipient-address, recipient-status, total-bytes, recipient-count, \
                related-recipient-address, reference, message-subject, \
                sender-address, return-path, message-info, directionality, \
                tenant-id, original-client-ip, original-server-ip, custom-data, \
                transport-traffic-type, log-id, schema-version
</Extension>



<Input messagetracking>
    Module      im_file
    File        '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
    <Exec>
        if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
        else
        {
            csv_parser->parse_csv();
            $EventTime = parsedate(${date-time});
        }
    </Exec>
</Input>


<Output out1>
 Module om_udp
 Host 10.1.1.1
 Port 514
 Exec to_syslog_snare();
</Output>


<Route 1>
 Path messagetracking => out1
</Route>

The errors logged in the nxlog.log file are as follows.

2018-07-12 18:06:10 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:39; couldn't parse statement at line 44, character 36 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; invalid character: '$' (0x24)
2018-07-12 18:06:10 ERROR module 'messagetracking' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59
2018-07-12 18:06:10 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59
2018-07-12 18:06:10 WARNING no routes defined!
2018-07-12 18:06:10 WARNING not starting unused module messagetracking
2018-07-12 18:06:10 WARNING not starting unused module out1
2018-07-12 18:06:10 INFO nxlog-ce-2.10.2102 started

I have yet to come across a working example of how to forward exchange logs and was hoping someone may be able to assist. I cant see what i am missing here.