Cannot parse properly Exchange # lines

4
responses

Pepper

I do use NXLog to parse the Exchange logs and send them to my Graylog. Time to time, Graylog still receive the line #Software: Microsoft Exchange...

Note that the line is sent once per hours or two hours.

It seems that the check if $raw_event =~ /^#/ drop(); fail to drop the #line randomly.

Bellow part of my config for the input:

Module     im_file
File     "\\\\xxxxxxx\\d$\\Exchsvr\\TransportRoles\\Logs\\\MessageTracking\\\\*.log"
SavePos    TRUE
   ReadFromLast    TRUE
   Recursive       TRUE
   CloseWhenIdle TRUE
InputType    LineBased
   PollInterval 10

   Exec if $raw_event =~ /HealthMailbox/ drop();
   Exec if $raw_event =~ /^#/ drop();
   Exec ParseEXCHANGESMSGTRK->parse_csv();

</Input>

Any clue, help or solution is welcome

AskedApril 13, 2017 - 10:17am

Answer (1)

b0ti

Can you check that the files don't contain a UTF-8 BOM header?

If you can confirm that the EE trial is also affected (i.e. this is some bug still lurking in there) then please create a reproducible test case including a full config file and input samples and open a support ticket.

AnsweredApril 13, 2017 - 11:00am

Leave a comment

Comments (3)

b0ti (NXLog)
Leave a comment
Actually I just checked and indeed it looks like Exchange Message Tracking logs have a UTF-8 BOM header. Can you try the following?

Exec if $raw_event =~ /^#/ or /^\xEF\xBB\xBF#/ drop();
April 13, 2017 - 11:11am

Pepper
Leave a comment
I changed the line to the one upper. I will let it run during Easter and see if I still get the error message.

April 13, 2017 - 4:30pm

Pepper
Leave a comment
Thanks. So far I do not have anymore the error and files seem to be properly parsed.

April 19, 2017 - 2:28pm

You are here

Cannot parse properly Exchange # lines

Answer (1)

Comments (3)