hello I had an error  while execting nxlog on windows server 

2017-05-11 15:34:51 ERROR invalid keyword: { at C:\Program Files (x86)\nxlog\conf\nxlog.conf:38



define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_syslog

<Input in>

Module  im_file

File 'C:\DNSlogs\DNSlogs.log'
SavePos TRUE
ReadFromLast TRUE
PollInterval 5
CloseWhenIdle TRUE
# The following line is the pre-parsing of DNS log. It turns the normal DNS log line into a more readable and easy for parsing with OSSIM format
 Exec if $raw_event =~/(\d+\/\d+\/\d+\s+\d+\:\d+\:\d+)\s+.*(Snd|Rcv)\s+(\d+\.\d+\.\d+\.\d+)\s+\S+\s+\w+\s+\w+\s+\S+\s+\w+\s+\S+\s+(\w+)\s+\(\d+\)(\S+)\(\d+\)/\

 { \
                  $EventTime = parsedate($1); \
                  $SourceName = $3; \
                  $ProcessID = $2; \
                  $Message = $5; \
                  if $Message =~ s/\(\d+\)/./g log_info("removed all whitespace in SourceName"); \

<Output out>
    Module      om_udp
    Port        514
    Exec        to_syslog_bsd();

<Route 1>
    Path        in => out

thx for help 

AskedMay 11, 2017 - 5:32pm

Answer (1)

There is an extra blank line before  { \  that's causing the issue.

You should use <Exec></Exec> and get rid of the trailing backslashes.