1
response

Hi there,

this might be a strange question but I'm new nxlog and was wondering what the difference between an input module and a processor module is.
the background to my question is:
I want to collect logs centrally on an nxlog server, and have configured all my clients to send their logs in a nxlog-binary format. at the moment I'm testing this with Windows IIS webserver logs.

on the nxlog server i want to read the binary logs and process them. Based on the processor I'd like to forward them to two separate destinations, outputting the logs in GELF and CSV format.

Now my question:

While this codeblock in the Input module works fine:

<Input in_syslog_tcp>

  Module  im_tcp

  Host  0.0.0.0

  Port  80

 

  <Exec>

        $Hostname = hostname();

        w3c->parse_csv();

        $EventTime = parsedate($date + " " + $time);

        $raw_event = $Hostname + ' IIS-NXLOG  '  + $raw_event;

        $SourceName = "IIS";

         w3c->to_csv();

  </Exec>

  InputType Binary

</Input>

This codeblock doesn't work:

<Processor transform_iis>
  Module      pm_null
   <Exec>

        $Hostname = hostname();
        w3c->parse_csv();
        $EventTime = parsedate($date + " " + $time);
        $raw_event = $Hostname + ' IIS-NXLOG  '  + $raw_event;
        $SourceName = "IIS";
        w3c->to_csv();
  </Exec>
</Processor>

Is there any reason why this has to go into the input module? The disadvantage would be that I would have to have several input modules for all kinds of different data sources....currently I have only one input module that receives all the logs in binary format from lots of different hosts..

 

Is there maybe a better solution for this?

 

cheers,

micsnare

AskedJuly 20, 2017 - 5:25pm

Answer (1)

> This codeblock doesn't work

Can you a bit more specific?

Processor modules are now considered obsolete and should not be used (except where the functionality is not available otherwise).

See the upcoming user guide for this.