Having some issues with xm_xml
Hello there, I am having some issues with NxLog using xm_xml. The regex seems to match fine, so I think it's something else. When I try to run it, I get a completely blank file. Here is my config
<Extension multiline>
Module xm_multiline
HeaderLine /^\s*<Obj RefId="[0-9][0-9]?[0-9]?[0-9]?">/
#EndLine /^\s*</entry>/
</Extension>
<Extension _xml>
Module xm_xml
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in3>
Module im_file
File "C:\\Users\\administrator\\Desktop\\2016.xml"
InputType multiline
SavePos FALSE
ReadFromLast FALSE
Exec if $raw_event !~ /^\s*<Obj RefId="[0-9][0-9]?[0-9]?[0-9]?">/ drop();
Exec parse_xml();
Exec to_json();
</Input>
<Output out3>
Module om_file
File "C:\\Users\\administrator\\Desktop\\testxml.txt"
</Output>
Sample Data: <Obj RefId="0"> <TN RefId="0"> <T>System.Diagnostics.EventLogEntry#Security/Microsoft-Windows-Security-Auditing/4673</T> <T>System.Diagnostics.EventLogEntry#Security/Microsoft-Windows-Security-Auditing</T> <T>System.Diagnostics.EventLogEntry</T> <T>System.ComponentModel.Component</T> <T>System.MarshalByRefObject</T> <T>System.Object</T> </TN> <ToString>System.Diagnostics.EventLogEntry</ToString> <Props> <S N="MachineName">testServer.ad.testDomain.com</S> <BA N="Data" /> <I32 N="Index">447206</I32> <S N="Category">(13056)</S> <I16 N="CategoryNumber">13056</I16> <I32 N="EventID">4673</I32> <Obj N="EntryType" RefId="1"> <TN RefId="1"> <T>System.Diagnostics.EventLogEntryType</T> <T>System.Enum</T> <T>System.ValueType</T> <T>System.Object</T> </TN> <ToString>SuccessAudit</ToString> <I32>8</I32> </Obj> <S N="Message">A privileged service was called._x000D__x000A__x000D__x000A_Subject:_x000D__x000A__x0009_Security ID:_x0009__x0009_S-1-5-21-26028188-150678075-188441444-157239_x000D__x000A__x0009_Account Name:_x0009__x0009_testAccount_x000D__x000A__x0009_Account Domain:_x0009__x0009_testDomain_x000D__x000A__x0009_Logon ID:_x0009__x0009_0x2053a6e4_x000D__x000A__x000D__x000A_Service:_x000D__x000A__x0009_Server:_x0009_Security_x000D__x000A__x0009_Service Name:x0009-_x000D__x000A__x000D__x000A_Process:_x000D__x000A__x0009_Process ID:_x0009_0x1770_x000D__x000A__x0009_Process Name:_x0009_C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe_x000D__x000A__x000D__x000A_Service Request Information:_x000D__x000A__x0009_Privileges:_x0009__x0009_SeCreateGlobalPrivilege</S> <S N="Source">Microsoft-Windows-Security-Auditing</S> <Obj N="ReplacementStrings" RefId="2"> <TN RefId="2"> <T>System.String[]</T> <T>System.Array</T> <T>System.Object</T> </TN> <LST> <S>S-1-5-21-26028188-150678075-188441444-157239</S> <S>testAccount</S> <S>testDomain</S> <S>0x2053a6e4</S> <S>Security</S> <S>-</S> <S>SeCreateGlobalPrivilege</S> <S>0x1770</S> <S>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</S> </LST> </Obj> <I64 N="InstanceId">4673</I64> <DT N="TimeGenerated">2018-08-14T08:34:37-04:00</DT> <DT N="TimeWritten">2018-08-14T08:34:37-04:00</DT> <Nil N="UserName" /> <Nil N="Site" /> <Nil N="Container" /> </Props> <MS> <I32 N="EventID">4673</I32> </MS> </Obj>