5
responses

I have been trying to get NXLog to send Syslog entries from the Teamviewer "Connections_incoming.txt" log file. It is a tab delimited file.
I found this site which supplied the basic code for the task:
https://gist.github.com/idefux/949e84c8ec8d4db1775c
which i couldn't get working as expected. To cut a long story short, i have discovered that the $raw_event is often blank, so the Syslog entries do not contain the necessary information. I have tried to google this issue, but i have not been able to find the information to figure this one out. There has been times when $raw_event did contain the information required from the original log file, but it is not reliable. Can someone please give me some suggestions on how to get information into the $raw_event function?

On the positive side, i do get a reliable Syslog entry whenever someone accesses the computer through Teamviewer. Using the code below, i get the message "Teamviewer Login Event"

Below is my current configuration. The if-else statement is designed to be as simple as possible to try fault-find the issue

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
Module xm_syslog
</Extension>

<Input in_teamviewer>
Module im_file
File 'c:\Program Files (x86)\TeamViewer\Connections_incoming.txt'
SavePos TRUE
ReadFromLast TRUE
PollInterval 10
<Exec>
$Hostname = hostname();
$SeverityValue = 5;
$MessageSourceAddress = hostname();
$SyslogFacilityValue = 4;
$SourceName = 'TeamViewer';
$EventTime = parsedate($5 + '-' + $4 + '-' + $3 + ' ' + $6);
$user = $2;
if ($raw_event == '') $Message = $raw_event + "Teamviewer Login Event";
else $Message = $raw_event + '['+ file_name() + ']';
to_syslog_bsd();
</Exec>
</Input>

<Output out_syslog>
Module om_udp
Host localhost
Port 514
</Output>

<Route 1>
Path in_teamviewer => out_syslog
</Route>

AskedJune 26, 2018 - 3:30am

Comments (2)

  • Zhengshi's picture
    (NXLog)

    in addition to what b0ti said, as a reference line 11 of the link you referenced is what handles getting rid of blank lines.
    The if statement starting from line 13 is what sets up the regex capture groups so the $1, etc work as b0ti pointed out.

    That script seemed to work just fine, was the output not what you were expecting? I added JSON directives just because I really like the output format.

    {
      "EventReceivedTime": "2018-06-26 15:57:05.413424-05:00",
      "SourceModuleName": "in_file_TeamViewerLog_incoming",
      "SourceModuleType": "im_file",
      "Hostname": "nxlogmanager",
      "SeverityValue": 5,
      "MessageSourceAddress": "nxlogmanager",
      "SyslogFacilityValue": 4,
      "SourceName": "TeamViewer",
      "EventTime": "2018-05-07 09:14:38.000000-05:00",
      "Message": "ID:123456789 User:TEST-PC LoggedInAs:testusr BeginTime:2018-05-07 09:14:38 EndTime:2018-05-07 09:18:11 [./Connections_incoming.txt]"
    }
    

  • Chris Morrow's picture

    I was not able to get the original script to work, so i deliberately took out the line that removes the blanks to fault-find the system. What i found was that it would detect and send the syslog message correctly, but with no message. It is interesting that you succeeded. I am starting to wonder if the operating system i am running might affect the script somehow. I am running windows 10 enterprise 2015 LTSB for an IoT application.
    I added LogLevel Debug to try get more information....... and the script worked!....... sortof. It reports the second last line now, but not the last line. Not very practical to report the last time i logged on. I am wondering weather there is a speed issue or some other thing between normal windows and LTSB. Of course, as the debug line makes the script work, i can't use it to find why it doesn't work in it's absence.
    I am currently working to implement b0ti's suggestions at the moment. Hopefully that will produce some good results.

Answer (1)

$EventTime = parsedate($5 + '-' + $4 + '-' + $3 + ' ' + $6);

The above will only work if you use a regular expression match operation before doing this. See the user guide for more: https://nxlog.co/documentation/nxlog-user-guide#regular-expressions-via-the-exec-directive https://nxlog.co/documentation/nxlog-user-guide#lang_regexp

If you want to discard blank lines this can be easily done with the following:

if $raw_event =~ /^\s*$/ drop();

Comments (2)

  • Chris Morrow's picture

    I changed the Exec to look like this:

    <Exec> 
        parse_syslog();
        $Hostname = hostname();
        $SeverityValue = 2;
        $MessageSourceAddress = hostname();
        $SyslogFacilityValue = 4;
        $SourceName = 'TeamViewer';
        if ($raw_event == '') $Message = "Teamviewer Login Event";
        else $Message = "Teamviewer Login Event " + $raw_event + '['+ file_name() + ']';
        to_syslog_bsd();
    </Exec>
    

    So i can get the message through with this script. I added the message "Teamviewer Login Event" instead of deleting the blanks, just for a fault-finding measure. The issue i am trying to solve now is that it reports the secnd last line, and not the last. I found this in the documentation while trying to find solutions:

    http://nxlog-ce.sourceforge.net/nxlog-docs/en/nxlog-reference-manual.html Example 9.5. Parsing multiline messages using module variables

    Unfortunately this solution has a minor flaw. The log message of an event is only forwarded if a new log is read, otherwise it is kept in the 'saved' variable indefinitely.

    I have read somewhere else (can't find the link) that NXLog does not know where the end of the line is in a text file until a new entry has been made. Perhaps this is what is happening with my script. The first entry could be saved into the "saved" variable until i log in with teamviewer again, which will create a new entry. This will explain why the first syslog message is always blank, and the second syslog message has the previous log entry. If this is the case, then how do i process the last log entry?

  • b0ti's picture
    (NXLog)

    im_file reads the input file line-by-line by default unless you declare and use xm_multiline so the comment is not relevant.
    It's hard to guess what's going on without seeing the actual input file.