Let's Talk
Let's Talk

NXLog and MS Exchange Server Transport Logs

Tags:
#1 michaelb

I'm trying to use the NXLog to Transfer my MS Exchange Server Transport Logs to an Elastic Search Server. I added the follwing config to the nxlog.conf File:

define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

<Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK????????-.LOG' # Exports all logs in Directory SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input>

<Output out_exchange> Module om_udp Host <IP of Elastic Search Server> Port <Port of the Elasioc Search Server> Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output>

<Route exchange> Path in_exchange => out_exchange </Route>

When I start the nxlog Service it states in the log: INFO nxlog-ce-2.10.2150 started

I don't get any information on the ElasticSearch Server. In the Wireshark I don't see any UDP packet and so I guess the NXLOg Service don't do anything.

Are there any more inormation or debugging logs to use?

Thanks for any hint

Michael

Permalink
#2 camharrisDeactivated Nxlog ✓
#1 michaelb

I'm trying to use the NXLog to Transfer my MS Exchange Server Transport Logs to an Elastic Search Server. I added the follwing config to the nxlog.conf File:

define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

<Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK????????-.LOG' # Exports all logs in Directory SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input>

<Output out_exchange> Module om_udp Host <IP of Elastic Search Server> Port <Port of the Elasioc Search Server> Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output>

<Route exchange> Path in_exchange => out_exchange </Route>

When I start the nxlog Service it states in the log: INFO nxlog-ce-2.10.2150 started

I don't get any information on the ElasticSearch Server. In the Wireshark I don't see any UDP packet and so I guess the NXLOg Service don't do anything.

Are there any more inormation or debugging logs to use?

Thanks for any hint

Michael
Your configuration does not appear to be incorrect. You can generate additional log messages in nxlog log file. Please see [here](https://nxlog.co/documentation/nxlog-user-guide-full#generating-additional-log-messages-in-your-configuration). I would recommend adding a log_info() procedure to your input module in_exchange similar to below: ``` Module im_file File '%BASEDIR%\MSGTRK????????*-*.LOG' # Exports all logs in Directory SavePos TRUE Exec log_info("raw_event [" + $raw_event + "]"); Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); ``` This would allow you to test and verify that your input module is collecting the desired events.
Login to see more