Exchange 2016 Message Tracking log config assistance
Tags:
#1
jdalyasc
I am trying to use NXlog CE to forward Exchange 2016 message tracking logs via syslog. I am trying to use the example shown here
https://nxlog.co/documentation/nxlog-user-guide#exchange_transport_logs
When I create the conf file and attempt to run it the service starts but there are several errors logged in the nxlog.log file.
My config file is as follows
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension syslog>
Module xm_syslog
</Extension>
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15
<Extension csv_parser>
Module xm_csv
Fields date-time, client-ip, client-hostname, server-ip, server-hostname, \
source-context, connector-id, source, event-id, \
internal-message-id, message-id, network-message-id, \
recipient-address, recipient-status, total-bytes, recipient-count, \
related-recipient-address, reference, message-subject, \
sender-address, return-path, message-info, directionality, \
tenant-id, original-client-ip, original-server-ip, custom-data, \
transport-traffic-type, log-id, schema-version
</Extension>
<Input messagetracking>
Module im_file
File '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
<Exec>
if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
else
{
csv_parser->parse_csv();
$EventTime = parsedate(${date-time});
}
</Exec>
</Input>
<Output out1>
Module om_udp
Host 10.1.1.1
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path messagetracking => out1
</Route>
The errors logged in the nxlog.log file are as follows.
2018-07-12 18:06:10 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:39; couldn't parse statement at line 44, character 36 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; invalid character: '$' (0x24)
2018-07-12 18:06:10 ERROR module 'messagetracking' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59
2018-07-12 18:06:10 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59
2018-07-12 18:06:10 WARNING no routes defined!
2018-07-12 18:06:10 WARNING not starting unused module messagetracking
2018-07-12 18:06:10 WARNING not starting unused module out1
2018-07-12 18:06:10 INFO nxlog-ce-2.10.2102 started
I have yet to come across a working example of how to forward exchange logs and was hoping someone may be able to assist. I cant see what i am missing here.
#1
jdalyasc
I am trying to use NXlog CE to forward Exchange 2016 message tracking logs via syslog. I am trying to use the example shown here
https://nxlog.co/documentation/nxlog-user-guide#exchange_transport_logs
When I create the conf file and attempt to run it the service starts but there are several errors logged in the nxlog.log file.
My config file is as follows
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension syslog>
Module xm_syslog
</Extension>
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15
<Extension csv_parser>
Module xm_csv
Fields date-time, client-ip, client-hostname, server-ip, server-hostname, \
source-context, connector-id, source, event-id, \
internal-message-id, message-id, network-message-id, \
recipient-address, recipient-status, total-bytes, recipient-count, \
related-recipient-address, reference, message-subject, \
sender-address, return-path, message-info, directionality, \
tenant-id, original-client-ip, original-server-ip, custom-data, \
transport-traffic-type, log-id, schema-version
</Extension>
<Input messagetracking>
Module im_file
File '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
<Exec>
if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
else
{
csv_parser->parse_csv();
$EventTime = parsedate(${date-time});
}
</Exec>
</Input>
<Output out1>
Module om_udp
Host 10.1.1.1
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path messagetracking => out1
</Route>
The errors logged in the nxlog.log file are as follows.
2018-07-12 18:06:10 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:39; couldn't parse statement at line 44, character 36 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; invalid character: '$' (0x24)
2018-07-12 18:06:10 ERROR module 'messagetracking' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59
2018-07-12 18:06:10 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59
2018-07-12 18:06:10 WARNING no routes defined!
2018-07-12 18:06:10 WARNING not starting unused module messagetracking
2018-07-12 18:06:10 WARNING not starting unused module out1
2018-07-12 18:06:10 INFO nxlog-ce-2.10.2102 started
I have yet to come across a working example of how to forward exchange logs and was hoping someone may be able to assist. I cant see what i am missing here.
Your current problem lies in the ${date-time} portion. While this is supported in the EE version, it is not in the CE version as of yet.
Hyphens (-) are not supported in field names currently, I would rename them to date_time and then call them as $date_time.
