Cannot parse properly Exchange # lines

Post a different question
4
responses

I do use NXLog to parse the Exchange logs and send them to my Graylog.  Time to time, Graylog still receive the line #Software: Microsoft Exchange...   

Note that the line is sent once per hours or two hours. 

It seems that the check if $raw_event =~ /^#/ drop(); fail to drop the #line randomly.

Bellow part of my config for the input:

<Input in_MSGTRK>

    Module          im_file
    File            "\\\\xxxxxxx\\d$\\Exchsvr\\TransportRoles\\Logs\\\MessageTracking\\\\*.log"
    SavePos         TRUE
    ReadFromLast     TRUE
    Recursive        TRUE
    CloseWhenIdle   TRUE
    InputType       LineBased    
    PollInterval    10

    Exec if $raw_event =~ /HealthMailbox/ drop();
    Exec if $raw_event =~ /^#/ drop();
    Exec ParseEXCHANGESMSGTRK->parse_csv();    

</Input>

 

Any clue, help or solution is welcome 

 

AskedApril 13, 2017 - 10:17am

Answer (1)

Can you check that the files don't contain a UTF-8 BOM header?

If you can confirm that the EE trial is also affected (i.e. this is some bug still lurking in there) then please create a reproducible test case including a full config file and input samples and open a support ticket.

AnsweredApril 13, 2017 - 11:00am

Comments (3)

  • b0ti's picture
    (NXLog)

    Actually I just checked and indeed it looks like Exchange Message Tracking logs have a UTF-8 BOM header. Can you try the following?

    Exec if $raw_event =~ /^#/ or /^\xEF\xBB\xBF#/ drop();

     

    April 13, 2017 - 11:11am