2
responses

hello, I am testing the NXlog EE, but the module xm_w3c does not work, do not parse the logs of BRO, you can help me.

<Extension w3c>
    Module xm_w3c
    Delimiter ,
</Extension>

<Input i.bro.log>
    Module im_file
    File "/mnt/*.log"
    InputType w3c
</Input>
<Output o.bro.log>
   Module om_ssl
   Host 192.168.0.38
   Port 10525
   CAFile /data/conf/ca.crt
   AllowUntrusted TRUE
</Output>
<Route r.bro.log>
    Path i.bro.log => o.bro.log
</Route>

# ./nxlog-processor 
2017-12-27 20:38:33 INFO connecting to 192.168.0.38:10525
2017-12-27 20:39:47 ERROR cannot parse integer "SUCCESS", invalid modifier: 'S'
2017-12-27 20:39:47 ERROR last message repeated 15 times
2017-12-27 20:39:47 ERROR couldn't parse integer: LOGON_FAILURE
2017-12-27 20:39:47 ERROR couldn't parse integer: LOGON_FAILURE
2017-12-27 20:39:47 ERROR cannot parse integer "SUCCESS", invalid modifier: 'S'
2017-12-27 20:39:47 ERROR last message repeated 10 times
2017-12-27 20:39:47 ERROR couldn't parse integer: LOGON_FAILURE
2017-12-27 20:39:47 ERROR cannot parse integer "SUCCESS", invalid modifier: 'S'
2017-12-27 20:39:47 ERROR last message repeated 34 times
2017-12-27 20:39:47 ERROR couldn't parse integer: LOGON_FAILURE

Bro Files ![Bro files][Bro files]

Graylog2

AskedDecember 28, 2017 - 5:57am

Answer (1)

Config

<Extension w3c>
Module xm_w3c
Delimiter ,
</Extension>

<Input i.bro.log>
Module im_file
File "/mnt/*.log"
InputType w3c
</Input>
<Output o.bro.log>
Module om_ssl
Host 192.168.0.38
Port 10525
CAFile /data/conf/ca.>crt
AllowUntrusted TRUE
</Output>
<Route r.bro.log>
Path i.bro.log => o.bro.log
</Route>

Error

# ./nxlog-processor
2017-12-27 20:39:47 ERROR cannot parse integer "SUCCESS", invalid modifier: 'S'
2017-12-27 20:39:47 ERROR last message repeated 15 times
2017-12-27 20:39:47 ERROR couldn't parse integer: LOGON_FAILURE
2017-12-27 20:39:47 ERROR couldn't parse integer: LOGON_FAILURE
2017-12-27 20:39:47 ERROR cannot parse integer "SUCCESS", invalid modifier: 'S'
2017-12-27 20:39:47 ERROR last message repeated 10 times
2017-12-27 20:39:47 ERROR couldn't parse integer: LOGON_FAILURE
2017-12-27 20:39:47 ERROR cannot parse integer "SUCCESS", invalid modifier: 'S'
2017-12-27 20:39:47 ERROR last message repeated 34 times
2017-12-27 20:39:47 ERROR couldn't parse integer: LOGON_FAILURE

Comments (1)

  • Severin Simko's picture

    Hi,

    are you using default bro format, or you changed something?

    I think there is "the conversion" missing in your output block and so the logs are still in the bro format.

    Try to add to your output block this, don't forget the extension blocks:

    Exec to_json(); # for logs in JSON format
    or
    Exec to_syslog_bsd(); # for logs in syslog format

    In your case the configuration would be:

    <Extension w3c>
        Module xm_w3c
        #if you use default bro logs, then you don't need this delimiter
        #Delimiter ,
    </Extension>
    
    #if you want your logs in JSON format
    <Extension json>
         Module   xm_json
    </Extension>
    
    #if you want your logs in syslog format
    <Extension _syslog>
         Module   xm_syslog
    </Extension>
    
    <Input i.bro.log>
        Module im_file
        File "/mnt/*.log"
        InputType w3c
    </Input>
    
    <Output o.bro.log>
        Module om_ssl
        Host 192.168.0.38
        Port 10525
        CAFile /data/conf/ca.>crt
        AllowUntrusted TRUE
        #in case you want JSON output
        Exec    to_json();
        #in case you want syslog output
        # Exec    to_syslog_bsd();
    </Output>
    
    <Route r.bro.log>
        Path i.bro.log => o.bro.log
    </Route>