Parsing delimited log files with regex

Post a different question
1
response

Hi
I'm using nxlog v2.9.1716.

I've created the following input:

<Input in>
Module im_file
File "C:\\Program Files\\LogFiles\\*.log"
SavePos TRUE
Recursive TRUE

Exec if $raw_event =~ /^#/ drop();
Exec if $raw_event =~ ^([^;]+);([^;]+);([^;]+)(?>;([^;]+);([^;]+);([^;]+);([^;]+);([^;]+);([^;]+);([^;]+);([^;]+);([^;]+);(.+)$)?/gx; \
{ \
$date = $1; \
$time = $2; \
$site-instance = $3; \
$event = $4; \
$client-ip = $5; \
$via-header = $6; \
$http-x-forwarded-for = $7; \
$host-header = $8; \
$additional-info-1 = $9; \
$additional-info-2 = $10; \
$additional-info-3 = $11; \
$additional-info-4 = $12; \
$additional-info = $13; \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "WAF"; \
}
</Input>

The regex being used has been successfully tested with https://regex101.com/

Sample data below:

2018-06-28 ; 10:23:52 ; W3SVC2 ; OnPreprocHeaders ; 10.10.10.10 ; ; 8.8.8.8 ; my.domain.com ; GET ; /account/login ; ALERT: '/account/' not allowed in URL ; HTTP/1.0 ; 0 ; ; Actional Intermediary

When I start the nxlog service, I get the following error:

2018-06-28 16:44:51 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:89; couldn't parse statement at line 89, character 24 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error
2018-06-28 16:44:51 ERROR module 'in' has configuration errors, not adding to route '2' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:116
2018-06-28 16:44:51 ERROR route 2 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:116
2018-06-28 16:44:51 WARNING not starting unused module in
2018-06-28 16:44:51 INFO nxlog-ce-2.9.1716 started
2018-06-28 16:44:51 INFO reconnecting in 1 seconds

I also tried the following:

<Input in>
Module im_file
File "C:\\Program Files\\AQTRONIX Webknight\\LogFiles\\*.log"
SavePos TRUE
Recursive TRUE
<Exec>
if $Message =~ /^#/ drop();
$Message =~ ^(?<date>[^;]+);(?<time>[^;]+);(?<site_instance>[^;]+)(?>;(?<event>[^;]+);(?<client_ip>[^;]+);(?<via_header>[^;]+);(?<http_x_forwarded_for>[^;]+);(?<host_header>[^;]+);(?<additional_info_1>[^;]+);(?<additional_info_2>[^;]+);(?<additional_info_3>[^;]+);(?<additional_info_4>[^;]+);(?<additional_info>.+)$)? /gx;
</Exec>
</Input>

But I receive the following error on starting nxlog:

2018-06-28 17:15:54 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:70; couldn't parse statement at line 72, character 15 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error
2018-06-28 17:15:54 ERROR module 'in' has configuration errors, not adding to route '2' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:100
2018-06-28 17:15:54 ERROR route 2 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:100
2018-06-28 17:15:54 WARNING not starting unused module in
2018-06-28 17:15:54 INFO nxlog-ce-2.9.1716 started

I tried various syntax changes, but just cannot see the issue.

This is the first time I've tried using a regex with nxlog.

Any help or guidance much appreciated.

AskedJune 28, 2018 - 5:03pm

Answer (1)

As per the user guide on fields:

89.2.3. Fields
Fields are referenced in the NXLog language by prepending a dollar sign ($) to the field name. A field name can contain the characters [a-zA-Z0-9_.] but must begin with a letter or underscore (), as indicated by the following regular expression:
[[:alpha:]][[:alnum:]._]*
Fields containing special characters such as the space or minus (-) can be specified using curly braces such as ${file-size} or ${file size}.

For instance: $site-instance = $3; needs to either be ${site-instance} = $3; or $site_instance = $3;

Using <Exec> blocks can help more easily identify the position and line of errors.

Your regex also needs to start with /. Example : if $raw_event =~ /^([^;]

I believe your last issue is on $raw_event you are only getting one event at a time and matching the entire event so /gx shouldn't be needed.

AnsweredJune 28, 2018 - 6:33pm