Hello everyone, As you can see from my NXlog config below, I am pulling the Linux auth logs in and passing them to our SIEM platform. The auth logs work fine, however as you can also see I am trying to pull in a CSV file that is located on the Linux box. Each individual event is surrounded by curly brackets e.g: {'event}, so I would like to just pull each event into a field called message and then parse these messages on our SIEM platform. I can't seem to get this to work whatsoever, the TCP connection initiates, but NXlog doesn't pickup the CSV file. Any ideas?   Cheers G ######################################## # Global directives                    # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules                              # ######################################## <Extension _syslog> Module  xm_syslog </Extension> <Input auth_logs>         Module  im_file         File    "/var/log/auth.log"         SavePos TRUE         ReadFromLast    TRUE </Input> <Output to_relay>         Module  om_tcp         Host    127.0.0.1         Port    20009         OutputType      LineBased </Output> ######################################## # Routes                               # ######################################## <Route 1>         Path    auth_logs => to_relay </Route> <Extension csv1>         Module  xm_csv         Fields  $Message         Delimiter       '{' </Extension> <Input filein>         Module  im_file         File    "/etc/ingest/sucuri/sucuri.csv"         Exec    csv1->parse_csv(); </Input> <Output test>         Module  om_tcp         Host    127.0.0.1         Port    20002         OutputType      Binary </Output> <Route 2>         Path    filein => test </Route>

​ What is the most efficient way to parse Microsoft DNS Server debug logs into something more tidy, say into a CSV or KVP format on the nxlog agent? Consider the following log message: "24/02/2017 16:37:22 09B0 PACKET  0000009657E7BA40 UDP Rcv 10.0.100.15   a490   Q [0001   D   NOERROR] A      (7)example(3)com(0)" First of all, what would be the most efficient way performance-wise to convert this into a CSV or KVP format? And also, is there some other way besides using Exec and replacing parenthesis and numbers in a sed-like manner to get the clean query name? We have tried to use the Exec method before, but we were hitting some serious performance issues on busy DNS servers. I have currently switched on to using the pm_pattern module to drop invalid log lines (the beginning of the log file and empty lines) and I was wondering if there would be some easy way to perform both of the tasks (the formatting and the cleaning) using the pm_pattern module? An example output could look something like the following: datetime=24/02/2017 16:37:22,thread_id=09B0,context=PACKET,packet_id=0000009657E7BA40,protocol=UDP,action=Rcv,remote_ip=10.0.100.15, xid=a490,event_type=-,opcode=Q,flags_hex=0001,is_authorative=-,is_truncated=-,recursion_desired=D,recursion_available=-, response_code=NOERROR,question_type=A,question_name=example.com The empty or "-" values result from fields specified in the DNS debug log format that are not present in the above message (e.g. all possible flags would be "ATDR", and event_type is "-" because "R" marks a response but an empty value (whitespace) marks a query. And of course, if the above even is possible, would it be too resource consuming?