Exchange 2016 Message Tracking log config assistance

Tags:

#1 jdalyasc

I am trying to use NXlog CE to forward Exchange 2016 message tracking logs via syslog. I am trying to use the example shown here

https://nxlog.co/documentation/nxlog-user-guide#exchange_transport_logs

When I create the conf file and attempt to run it the service starts but there are several errors logged in the nxlog.log file.

My config file is as follows

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension syslog>
 Module xm_syslog
</Extension>

define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15

<Extension csv_parser>
    Module      xm_csv
    Fields      date-time, client-ip, client-hostname, server-ip, server-hostname, \
                source-context, connector-id, source, event-id, \
                internal-message-id, message-id, network-message-id, \
                recipient-address, recipient-status, total-bytes, recipient-count, \
                related-recipient-address, reference, message-subject, \
                sender-address, return-path, message-info, directionality, \
                tenant-id, original-client-ip, original-server-ip, custom-data, \
                transport-traffic-type, log-id, schema-version
</Extension>



<Input messagetracking>
    Module      im_file
    File        '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
    <Exec>
        if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
        else
        {
            csv_parser->parse_csv();
            $EventTime = parsedate(${date-time});
        }
    </Exec>
</Input>


<Output out1>
 Module om_udp
 Host 10.1.1.1
 Port 514
 Exec to_syslog_snare();
</Output>


<Route 1>
 Path messagetracking => out1
</Route>

The errors logged in the nxlog.log file are as follows.

2018-07-12 18:06:10 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:39; couldn't parse statement at line 44, character 36 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; invalid character: '$' (0x24)
2018-07-12 18:06:10 ERROR module 'messagetracking' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59
2018-07-12 18:06:10 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59
2018-07-12 18:06:10 WARNING no routes defined!
2018-07-12 18:06:10 WARNING not starting unused module messagetracking
2018-07-12 18:06:10 WARNING not starting unused module out1
2018-07-12 18:06:10 INFO nxlog-ce-2.10.2102 started

I have yet to come across a working example of how to forward exchange logs and was hoping someone may be able to assist. I cant see what i am missing here.

#2 Zhengshi Nxlog ✓
#1 jdalyasc
I am trying to use NXlog CE to forward Exchange 2016 message tracking logs via syslog. I am trying to use the example shown here https://nxlog.co/documentation/nxlog-user-guide#exchange_transport_logs When I create the conf file and attempt to run it the service starts but there are several errors logged in the nxlog.log file. My config file is as follows Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension syslog> Module xm_syslog </Extension> define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15 <Extension csv_parser> Module xm_csv Fields date-time, client-ip, client-hostname, server-ip, server-hostname, \ source-context, connector-id, source, event-id, \ internal-message-id, message-id, network-message-id, \ recipient-address, recipient-status, total-bytes, recipient-count, \ related-recipient-address, reference, message-subject, \ sender-address, return-path, message-info, directionality, \ tenant-id, original-client-ip, original-server-ip, custom-data, \ transport-traffic-type, log-id, schema-version </Extension> <Input messagetracking> Module im_file File '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG' <Exec> if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop(); else { csv_parser->parse_csv(); $EventTime = parsedate(${date-time}); } </Exec> </Input> <Output out1> Module om_udp Host 10.1.1.1 Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path messagetracking => out1 </Route> The errors logged in the nxlog.log file are as follows. 2018-07-12 18:06:10 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:39; couldn't parse statement at line 44, character 36 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; invalid character: '$' (0x24) 2018-07-12 18:06:10 ERROR module 'messagetracking' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59 2018-07-12 18:06:10 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59 2018-07-12 18:06:10 WARNING no routes defined! 2018-07-12 18:06:10 WARNING not starting unused module messagetracking 2018-07-12 18:06:10 WARNING not starting unused module out1 2018-07-12 18:06:10 INFO nxlog-ce-2.10.2102 started I have yet to come across a working example of how to forward exchange logs and was hoping someone may be able to assist. I cant see what i am missing here.

Your current problem lies in the ${date-time} portion. While this is supported in the EE version, it is not in the CE version as of yet.
Hyphens (-) are not supported in field names currently, I would rename them to date_time and then call them as $date_time.