NXLog Enrichment
I'm attempting to enrich some Windows event logs with "ClientMachine" which needs to equal the hostname. I'm having issues with only some logs coming through with this enriched fields, and others do not contain the ClientMachine enrichment. My config is below. Any help would be greatly appreciated.
Panic Soft define ROOT C:\Program Files\nxlog #ModuleDir %ROOT%\modules #CacheDir %ROOT%\data #SpoolDir %ROOT%\data
#define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf
Note that these two lines define constants only; the log file location
is ultimately set by the LogFile
directive (see below). The
MYLOGFILE
define is also used to rotate the log file automatically
(see the _fileop
block).
define LOGDIR %ROOT%\data define MYLOGFILE %LOGDIR%\nxlog.log
By default, LogFile %MYLOGFILE%
is set in log4ensics.conf. This
allows the log file location to be modified via NXLog Manager. If you
are not using NXLog Manager, you can instead set LogFile
below and
disable the include
line.
LogFile %MYLOGFILE%
<Extension _syslog> Module xm_syslog </Extension>
<Input in> Module im_msvistalog </Input>
<Output out> Exec $ClientMachine = hostname_fqdn(); Module om_tcp Host 192.168.1.20 Port 11105 Exec to_syslog_snare(); </Output>
<Route 1> Path in => out </Route>
Any help would be appreciated- I'm stuck on this.