Split input to multiple outputs based on content

How can I select some messages from a single source for 1 output and some for another based on the syslog content, I'm using community edition I have RTFMed but haven't found anything describing how to do this. I've tried using the Route block to send to multiple outputs and then using the drop() option in the output inside some <Exec> tags but it doesn't seem to work and I end up with the same stuff in both outputs.

AskedJuly 6, 2016 - 10:36pm

xm_perl with nested fields

Hi, I´m trying to add some info to my logs via xm_perl before send it to elasticsearch (using json format). As result, it would be nice to add some fileds from my perl code in nested way. Is it posible to use something like set_field_XXX($event, "myAddedfield.myAddedSubfield", "value")?


At the end, I want to create nested fields inside my json object.



AskedJuly 4, 2016 - 7:17pm

Configuration to send Windows Security Logs only

Hello,  I am testing nxlog to see if it works with sending security logs to our SIEM.  I only want to send the security Events on our servers, and have our config file as shown:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module xm_syslog

AskedJuly 1, 2016 - 6:41pm

Detecting operating system

I want to be able to take into account the version of the operating system (which is unknown at time of installation) in the configuration.

For example, I might want to output to a different server based on whether the installation is running on a server or on a workstation.



AskedJune 30, 2016 - 4:31pm