Send a message to syslog server | Log collection solutions

#1 GustavoM 4 years ago

Hello, I am sending a message with hostname to my syslog server, my conf is as follows:

define ROOT C: \ Program Files (x86) \ nxlog

Moduledir% ROOT% \ modules CacheDir% ROOT% \ data Pidfile% ROOT% \ data \ nxlog.pid SpoolDir% ROOT% \ data LogFile% ROOT% \ data \ nxlog.log

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog

<Exec> parse_syslog (); $ Message = "hostnamexxx" + $ Message; to_syslog_ietf (); </Exec>

</Input>

<Output out> Om_udp module Host xx.xxx.xx Port 514 Exec to_syslog_ietf (); </Output>

My log is coming with the message correctly:

Feb 12 23:11:34 DESKTOP-XXXXX Microsoft-Windows-Eventlog [964] hostnamexxxxINFO 1102 The audit log was cleared. Subject: Security ID: # xxxxxxxx-1001 Account Name: Admin Domain Name: DESKTOP-XXXXX Logon ID: 0xD438A

However, the message "hostnamexxxx" is coming in the middle of the log, as you can see above. This is disturbing my parser, is there any way I can put this "hostnamexxxx" message last in my log? Example:

Feb 12 23:11:34 DESKTOP-XXXXX Microsoft-Windows-Eventlog [964] INFO 1102 The audit log was cleared. Subject: Security ID: # xxxxxxxx-1001 Account Name: Admin Domain Name: DESKTOP-XXXXX Logon ID: 0xD438A hostnamexxxx

Thanks

Permalink

#2 manuel.munozDeactivated Nxlog ✓ 4 years ago

#1 GustavoM

Hello, I am sending a message with hostname to my syslog server, my conf is as follows: define ROOT C: \ Program Files (x86) \ nxlog Moduledir% ROOT% \ modules CacheDir% ROOT% \ data Pidfile% ROOT% \ data \ nxlog.pid SpoolDir% ROOT% \ data LogFile% ROOT% \ data \ nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog <Exec> parse_syslog (); $ Message = "hostnamexxx" + $ Message; to_syslog_ietf (); </Exec> </Input> <Output out> Om_udp module Host xx.xxx.xx Port 514 Exec to_syslog_ietf (); </Output> <Route 1> Path in => out </Route> My log is coming with the message correctly: Feb 12 23:11:34 DESKTOP-XXXXX Microsoft-Windows-Eventlog [964] hostnamexxxxINFO 1102 The audit log was cleared. Subject: Security ID: # xxxxxxxx-1001 Account Name: Admin Domain Name: DESKTOP-XXXXX Logon ID: 0xD438A However, the message "hostnamexxxx" is coming in the middle of the log, as you can see above. This is disturbing my parser, is there any way I can put this "hostnamexxxx" message last in my log? Example: Feb 12 23:11:34 DESKTOP-XXXXX Microsoft-Windows-Eventlog [964] INFO 1102 The audit log was cleared. Subject: Security ID: # xxxxxxxx-1001 Account Name: Admin Domain Name: DESKTOP-XXXXX Logon ID: 0xD438A hostnamexxxx Thanks

Sure, just change the order in the expression,

$Message = $Message + " hostnamexxx" ;