3
responses

I have a fairly simple question regarding sending an XML file to my SysLog Receiver (Nitro box).  Currently, I'm attempting to send this file to my Nitro box, but I'm not actually seeing the Syslog being sent to Nitro.  I have tcpdump watching for the packets being sent and I'm not getting any information across.  I verified that packets were being sent and captured to the Nitro box with a generic Syslog generator.  Here is my current .conf file.

## This is a sample configuration file. See the nxlog reference manual about the

## configuration options. It should be installed locally and is also available

## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,

## otherwise it will not start.

#define ROOT C:\Program Files\nxlog

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules

CacheDir %ROOT%\data

Pidfile %ROOT%\data\nxlog.pid

SpoolDir %ROOT%\data

LogFile %ROOT%\data\nxlog.log

<Extension syslog>

 Module xm_syslog

</Extension>

<Extension xm_xml>

 Module xm_xml

</Extension>

<Input in>

Module im_file

File "C:\\Users\\Administrator\\Desktop\\NXLogTest\\test.xml"

</Input>

<Output out>

     Module om_udp

     Host xxx.xxx.xxx.xxx

 Port 514

 Exec to_syslog_bsd();

</Output>

<Route 1>

    Path        in => out

</Route>

 

After saving this file, I restart the service, but nothing is being sent.  I also checked the logs and there was no error or warnings, the service stops, exits, and restarts nicely.  I'd appreciate some help so I have a clear path moving forward.

 

Thanks!

AskedDecember 14, 2015 - 4:23pm

Answer (1)

You may want to set ReadFromLast to FALSE while testing.

Comments (2)

  • nak1's picture

    Hi adm,

    Thanks for the help, I was able to capture the packets being transmitted and being received by Enterprise Security Manager (Nitro box).  I have some additional questions for you now though.  Shown below is an example of the XML test report that I'm attempting to configure into a readable Syslog.  Currently, all that is being transmitted to Nitro is a lot of "N/A" packets with the only readable information being the physical Server and timestamp information being shown.   I added "Exec to_syslog_snare();" in the output of my conf file also.  How would I get NXlog to read this report and print the information in a readable syslog?  Right now obviously it is not parsing correctly.. I've googled extensively but have failed to find an appropriate solution.  Would I use something like PM_pattern?  Sorry, I'm fairly new to NXlog and still trying to figure all of its capability.

    Thanks!

    ~~-<report>

    <id>1</id>

    <name>test</name>

    <timezone>Eastern time(US+Canada)</timezone>

    -<events>

    -<event>

    <person_name>#K600CBB14</person_name>

    <key_name>#K600CBB14</key_name>

    <lock_name/>

    <original-type>0</original-type>

    <description>Communications Record</description>

    <date>12/7/2015 10:07:59</date>

    <source>Communications Record</source>

    <download_date>12/7/2015 10:07:59</download_date>

    </event>

    </events>

    </report>

     

  • adm's picture
    (NXLog)

    By default im_file reads the input and treats each line as a separate event record. To be able to parse such a file you need to use xm_multiline and optionally xml_xml.

    Actually there is an example in the Reference Manual that's very similar to your use-case. Instead of to_json() you will probably want to construct the Message part of the snare event record manually after having parsed the xml:

    Exec $Message = $description + " " + $person_name; to_syslog_snare();

    We are available for more consultation work under a commercial support contract.