How to replace the Host IP in the output section by a variable or a regex?

Tags:

#1 mikal

Hello, I'm both new here and new at nxlog so excuse my question if it sounds awkward. I'm trying to configure nxlog for an environment with multiple intermediary loghosts which have different IP addresses. The only pattern is that the machine that is sending the log and the loghost always have a similar first three octets (same subnet). So the computer 192.168.0.10 will send logs to 192.168.0.100 and the computer 10.10.10.30 will send its logs to 10.10.10.100. The last octet of all loghosts are similar as well.

My goal is to be able to call the computer IP with HostIP, match it with a regex [0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3} and transform it to $1.$2.$3.100 which will be the loghost IP. My output module may look like this:

<Output loghost> Module om_udp Host $loghost Port 514 </output>

Why am I doing this? I'm deploying nxlog via GPO and wanted to send a single nxlog.conf to all the domain computers which will find the corresponding loghost based on their own IP.

At this time, none of my attempts to add a regex to an Exec directive in the output module were successful. If any one had come across the need for adding a variable as Host or similar issue, I will appreciate your help. Any other directions are much appreciated.

Thank you, Mikal

#2 Zhengshi Nxlog ✓
#1 mikal

Hello, I'm both new here and new at nxlog so excuse my question if it sounds awkward. I'm trying to configure nxlog for an environment with multiple intermediary loghosts which have different IP addresses. The only pattern is that the machine that is sending the log and the loghost always have a similar first three octets (same subnet). So the computer 192.168.0.10 will send logs to 192.168.0.100 and the computer 10.10.10.30 will send its logs to 10.10.10.100. The last octet of all loghosts are similar as well.

My goal is to be able to call the computer IP with HostIP, match it with a regex [0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3} and transform it to $1.$2.$3.100 which will be the loghost IP. My output module may look like this:

<Output loghost> Module om_udp Host $loghost Port 514 </output>

Why am I doing this? I'm deploying nxlog via GPO and wanted to send a single nxlog.conf to all the domain computers which will find the corresponding loghost based on their own IP.

At this time, none of my attempts to add a regex to an Exec directive in the output module were successful. If any one had come across the need for adding a variable as Host or similar issue, I will appreciate your help. Any other directions are much appreciated.

Thank you, Mikal

Mikal, I think the issue you are running into is that you can not update those directives with a field, only defines. That is to say `Host $ip` won't work, but `Host %IP%` will. In NXLog EE, there are a couple ways you could get this to work, but they would both require a script run on the box at execution time. **Pulling in Environment Variables:** You could write a script that runs on your servers that sets an environment variable for your loghost based on the server IP. https://nxlog.co/documentation/nxlog-user-guide-full#config_overview_envvar ``` envvar IP Module om_udp Host %IP% Port 514 ``` ____ **Using a script to populate directives with `include_stdout`:** You would write a script that does this calculation for you and then outputs where the include is. See this example for inputting `File` directive. https://nxlog.co/documentation/nxlog-user-guide-full#iis_automatic_retrieval ____ Another solution could be to create an Output for each Loghost you are wanting to send to and adding some code that will match the IP needed and drop it. Note: This code has not been tested. Module xm_resolver Module om_udp Host 192.168.0.100 Port 514 Exec if name_to_ipaddr($Hostname) !~ /^192\.168\.0\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-4]))$/ drop(); Your route would then include all outputs. `Path in=>loghost1,loghost2,loghost3`