Hi, I’m trying to use regex in nxlog. My current configuration is to save firewall logs to a file .txt using the $Sender value to create the file name.

.......

<Input *****> Module im_tcp Host 0.0.0.0 Port 1001 <Exec> if $raw_event =~ /LEEF/ parse_leef(); else parse_syslog(); </Exec> </Input>

.......

<Output > define OUT_DIR %LOGDIR2%/ Module om_file File "%OUT_DIR%/" + $Sender + ".txt" <Schedule> Every 3600 sec <Exec> if ->file_size() > 0M { set_var('newfile', file_name() + strftime(now(), '_%Y%m%d%H%M%S') + '.log'); rotate_to(get_var('newfile')); exec_async('C:/Program Files/GnuWin32/bin/bzip2.exe', 'E:// *.log'); } </Exec> </Schedule> </Output>

.........

This is the Log: <13>Sep 4 16:07:23 Firewall: LEEF:1.0|FORCEPOINT|Firewall|1.1.1|Connection_Discarded|src=122.1.1.1 EventReceivedTime=2019-09-04 16:07:23 SourceModuleName=****** SourceModuleType=im_tcp LEEFVersion=<1> LEEF:0.0 Vendor=FORCEPOINT vSrcName=Firewall Version=1.1.1 EventID=Connection_Discarded devTimeFormat=MMM dd yyyy HH:mm:ss devTime=2019-09-04 16:07:23 proto=1 dstPort=80 srcPort=53438 dst=192.1.1.1 sender=services.fw.mi01.custom.cloud node 1 action=Discard

the system sets the value of $Sender like this: $Sender = services.fw.mi01.custom.cloud node 1 action=Discard.txt

but I need instead the system to set $Sender this way, only up to "node 1": $Sender = services.fw.mi01.custom.cloud node 1.txt

I thought about using a regex to extrapolate the value I need, but it doesn’t work. this one: <Exec> if $Sender =~ /(?<=sender=).[^\t]+/g; $Sender = $1 </Exec>

Can I do this thing? If so, what should I do?

Thank you Antonio