Cannot extract data from regex? All variables are always empty

View thread

lostence

Hello I'm trying to send Windows DNS logs through NXLog, but i'm having a problem. I followed the documentation and ended up with the following config file.

Events seem to match the regex, but then i can't seem to use any of the named group names ($Date, $QuestionName, ... any). I tried to log_info(); but it always shows up as an empty string in the log file :

  • This: log_info('q is ' + $QuestionName);
  • Shows up in logs as "q is" (and nothing else)

Anyone knows what i'm doing wrong ? I don't see "no match" in my logfile so i guess events always match the EVENT_REGEX.

Been struggling with this for 24 hours .. even tried unnamed capture groups but also the $0, $1... always show empty.

(config file also at https://pastebin.com/s4CaJg9k in case of problems)


Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

Example data :

#14-09-19 09:20:39 0B64 PACKET 0000005487B8E130 UDP Rcv 172.30.2.30 486a Q [0001 D NOERROR] AAAA (7)outlook(9)office365(3)com(8)transfer(2)be(0) #14-09-19 09:20:39 0B60 PACKET 0000005487FAC120 UDP Rcv 172.30.1.38 9b88 Q [0001 D NOERROR] AAAA (7)outlook(9)office365(3)com(0)

define EVENT_REGEX /(?x)(?<Date>\d+(?:-\d+){2})\s (?<Time>\d+(?::\d+){2})\s (?<ThreadId>\w+)\s+ (?<Context>\w+)\s+ (?<InternalPacketIdentifier>[[:xdigit:]]+)\s+ (?<Protocol>\w+)\s+ (?<SendReceiveIndicator>\w+)\s (?<RemoteIP>[[:xdigit:].:]+)\s+ (?<Xid>[[:xdigit:]]+)\s (?<QueryType>\s|R)\s (?<Opcode>[A-Z]|?)\s (?<QFlags>[(.?)])\s+ (?<QuestionType>\w+)\s+ (?<QuestionName>.)/ define EMPTY_EVENT_REGEX /(^$|^\s+$)/ define DOMAIN_REGEX /(\d+)([\w-]+)(\d+)([\w-]+)/ define SUBDOMAIN_REGEX /(\d+)([\w-]+)(\d+)([\w-]+)(\d+)(\w+)/ define NOT_STARTING_WITH_DATE_REGEX /^(?!\d+-\d+-\d+).+/ define QFLAGS_REGEX /(?x)(?<FlagsHex>\d+)\s+ (?<FlagsCharCodes>\s+|([A-Z]{2}|[A-Z]))\s+ (?<ResponseCode>\w+)/

<Extension _json> Module xm_json </Extension>

<Input in> Module im_file File 'C:\dnslog\dns.log' <Exec> # Drop entries that have empty lines if $raw_event =~ %EMPTY_EVENT_REGEX% drop(); # Drop entries not starting with date if $raw_event =~ %NOT_STARTING_WITH_DATE_REGEX% drop(); # Split entries into fields & define regular entries if $raw_event =~ %EVENT_REGEX% { $Regular = TRUE; #$EventTime = parsedate($Date + " " + $Time); $Raw = $raw_event; #delete($date); #delete($time); if $FlagsCharCodes =~ /^\s+$/ delete($FlagsCharCodes ); # Convert domains from (8)mydomain(1)com to mydomain.com if $QuestionName =~ %DOMAIN_REGEX% $QuestionName = $1 + "." + $2; # Convert domains from (8)sub(8)mydomain(1)com to sub.mydomain.com if $QuestionName =~ %SUBDOMAIN_REGEX% $QuestionName = $1 + "." + $2 + "." +$3;

        # Set query flags
        if $QFlags =~ %QFLAGS_REGEX% delete($QFlags);

        # Set the query type
        if $QueryType =~ %EMPTY_EVENT_REGEX% $QueryType = &quot;query&quot;;
        else $QueryType = &quot;response&quot;;

        log_info('q is ' + $QuestionName);
    }
    else
    {
        $Regular = FALSE;
        $Raw = $raw_event;
        log_info(&quot;no match&quot;);
    }
&lt;/Exec&gt;

</Input>

<Output out> Module om_file Exec to_json(); File 'C:\output-dns-traffic.json' </Output>

<Route r1> path in => out </Route>