windows mutline event log not being parsed by nxlog
Hi, I have the following windows log message which i am trying to parse and remove the \r,\t and \n from the log. with i am using i am unable to parse it and it still shows me the log content as is?
input: ACBDEFG 12/03/2015 09:05:13 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4672\r\nEventType=0\r\nType=Information\r\nComputerName=VDEEXCP01.teckcominco.loc\r\nTaskCategory=Special Logon\r\nOpCode=Info\r\nRecordNumber=3259542776\r\nKeywords=Audit Success\r\nMessage=msg_somethinh.\r\r\n\r\r\nSubject:\r\r\n\tSecurity ID:\t\tABCDEFFHG-12345\r\r\n\tAccount Name:\t\ABEDCEDDDD$\r\r\n\tAccount Domain:\t\tABCXDDFFEEFFFF\r\r\n\tLogon ID:\t\t98665svdvdvdv\r\r\n\r\r\nPrivileges:\t\tSeSecurityPrivilege\r\r\n\t\t\tSeBackupPrivilege\r\r\n\t\t\tSeRestorePrivilege\r\r\n\t\t\tSeTakeOwnershipPrivilege\r\r\n\t\t\tSeDebugPrivilege\r\r\n\t\t\tSeSystemEnvironmentPrivilege\r\r\n\t\t\tSeLoadDriverPrivilege\r\r\n\t\t\tSeImpersonatePrivilege\r\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege
output: ACBDEFG 12/03/2018 10:15:13 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4672\r\nEventType=0\r\nType=Information\r\nComputerName=VDEEXCP01.teckcominco.loc\r\nTaskCategory=Special Logon\r\nOpCode=Info\r\nRecordNumber=3259542776\r\nKeywords=Audit Success\r\nMessage=msg_somethinh.\r\r\n\r\r\nSubject:\r\r\n\tSecurity ID:\t\tABCDEFFHG-12345\r\r\n\tAccount Name:\t\ABEDCEDDDD$\r\r\n\tAccount Domain:\t\tABCXDDFFEEFFFF\r\r\n\tLogon ID:\t\t98665svdvdvdv\r\r\n\r\r\nPrivileges:\t\tSeSecurityPrivilege\r\r\n\t\t\tSeBackupPrivilege\r\r\n\t\t\tSeRestorePrivilege\r\r\n\t\t\tSeTakeOwnershipPrivilege\r\r\n\t\t\tSeDebugPrivilege\r\r\n\t\t\tSeSystemEnvironmentPrivilege\r\r\n\t\t\tSeLoadDriverPrivilege\r\r\n\t\t\tSeImpersonatePrivilege\r\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege
I am using the community edition and trying out to parse using the following configuration of nxlog. can you please suggest any changes needed in the conf?
Global section
User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO #Extension section <Extension multi> Module xm_multiline HeaderLine /^================/ EndLine /^---------------/ </Extension>
Modules section
<Input in>
Module im_tcp
HOST 0.0.0.0
Port 1532
#InputType multi
# Remove the boundary markers
Exec if $raw_event =~ s/========[=]+//g {}
Make a single line
Exec if $raw_event =~ s/[\r\n]/ /g {}
#remove the end directive
Exec if $raw_event =~ s/--------[-]+//g {}
Exec if $raw_event =~ /^ *$/ drop();
Exec $raw_event = replace($raw_event, "\t", " ");
</Input> <Output out> Module om_file File '/tmp/output' #Exec $raw_event = "--------------------------------------\n" + $raw_event; </Output>
Route section
<Route r> Path in => out </Route>
The issue is that these are not single characters of a newline (\n
) and tabs (\t
) but in fact two characters {\
) and (n
).
Add an extra slash and you should be good. I changed the line with \r
and \n
to use an OR
structure as well.
Exec if $raw_event =~ s/\\r|\\n/ /g {}
#remove the end directive
Exec if $raw_event =~ s/--------[-]+//g {}
Exec if $raw_event =~ /^ *$/ drop();
Exec $raw_event = replace($raw_event, "\\t", " ");