send json log file to syslog server - Page 1

#1 coder 5 years ago

i want to send my atp log to syslog server with the help of nxlog . i am storing atplog to atp.log file and the data is in json format.

I am using below configuration but i am not getting anything on my syslog server which is AV.

configuration:
# Configuration for converting and sending Windows logs
# to AlienVault USM Anywhere.
#

define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS 10.0.2.4
define OUTPUT_DESTINATION_PORT 514

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>
<input atplogfile>
Module im_atplogfile
</input>

<Input ATPLogs_IN>
Module im_atplogfile
File "C:\temp\log\atplogs-.log"
Exec $Message = to_json(); to_syslog_bsd();
</Input>

<Output ATPLogs_OUT>
Module om_atplogfile
File "/var/log/nxlog/syslog.log"
Exec to_syslog_bsd();
</Output>

########################################
# Routes #
########################################
<Route 1>
Path ATPLogs_IN => ATPLogs_OUT
</Route>

<Input eventlog>
Module im_msvistalog
Query <QueryList>

<Query Id="0">

<Select Path="Application"></Select>

<Select Path="System"></Select>

<Select Path="Security"></Select>

</Query>

</QueryList>
Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
</Input>

<Output out>

Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000000;
Exec $Message = to_json(); to_syslog_bsd();

</Output>

<Route 1>
Path eventlog, internal => out
</Route>

Permalink

#2 b0ti Nxlog ✓ 5 years ago

#1 coder

i want to send my atp log to syslog server with the help of nxlog . i am storing atplog to atp.log file and the data is in json format. I am using below configuration but i am not getting anything on my syslog server which is AV. configuration: # Configuration for converting and sending Windows logs # to AlienVault USM Anywhere. # define ROOT C:\Program Files (x86)\nxlog define OUTPUT_DESTINATION_ADDRESS 10.0.2.4 define OUTPUT_DESTINATION_PORT 514 Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal </Input> <input atplogfile> Module im_atplogfile </input> <Input ATPLogs_IN> Module im_atplogfile File "C:\temp\log\atplogs-.log" Exec $Message = to_json(); to_syslog_bsd(); </Input> <Output ATPLogs_OUT> Module om_atplogfile File "/var/log/nxlog/syslog.log" Exec to_syslog_bsd(); </Output> ######################################## # Routes # ######################################## <Route 1> Path ATPLogs_IN => ATPLogs_OUT </Route> <Input eventlog> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security"></Select> </Query> </QueryList> Exec if ($EventID == 5156) OR ($EventID == 5158) drop(); </Input> <Output out> Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $Message = to_json(); to_syslog_bsd(); </Output> <Route 1> Path eventlog, internal => out </Route>

If the data is already in JSON you should get rid of Exec $Message = to_json(); to_syslog_bsd(); in ATPLogs_IN. Note that since the conversion is already done in the output instance, invoking to_syslog_bsd() is not needed there.