7
responses
responses
I am trying to use NXlog CE to forward Exchange 2016 message tracking logs via syslog. I am trying to use the example shown here
https://nxlog.co/documentation/nxlog-user-guide#exchange_transport_logs
When I create the conf file and attempt to run it the service starts but there are several errors logged in the nxlog.log file.
My config file is as follows
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension syslog>
Module xm_syslog
</Extension>
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15
<Extension csv_parser>
Module xm_csv
Fields date-time, client-ip, client-hostname, server-ip, server-hostname, \
source-context, connector-id, source, event-id, \
internal-message-id, message-id, network-message-id, \
recipient-address, recipient-status, total-bytes, recipient-count, \
related-recipient-address, reference, message-subject, \
sender-address, return-path, message-info, directionality, \
tenant-id, original-client-ip, original-server-ip, custom-data, \
transport-traffic-type, log-id, schema-version
</Extension>
<Input messagetracking>
Module im_file
File '%BASEDIR%\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
<Exec>
if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();
else
{
csv_parser->parse_csv();
$EventTime = parsedate(${date-time});
}
</Exec>
</Input>
<Output out1>
Module om_udp
Host 10.1.1.1
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path messagetracking => out1
</Route>
The errors logged in the nxlog.log file are as follows.
2018-07-12 18:06:10 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:39; couldn't parse statement at line 44, character 36 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; invalid character: '$' (0x24)
2018-07-12 18:06:10 ERROR module 'messagetracking' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59
2018-07-12 18:06:10 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:59
2018-07-12 18:06:10 WARNING no routes defined!
2018-07-12 18:06:10 WARNING not starting unused module messagetracking
2018-07-12 18:06:10 WARNING not starting unused module out1
2018-07-12 18:06:10 INFO nxlog-ce-2.10.2102 started
I have yet to come across a working example of how to forward exchange logs and was hoping someone may be able to assist. I cant see what i am missing here.
Comments (7)
Your current problem lies in the
${date-time}
portion. While this is supported in the EE version, it is not in the CE version as of yet.Hyphens (-) are not supported in field names currently, I would rename them to date_time and then call them as $date_time.
Thank you for your response i tried updating the code as you mentioned and it still appears to not function.
Take out the {} brackets.
$date_time
Also testing with the trial version of enterprise version with the W3 parser. I should mention we are not beyond purchasing the enterprise edition if needed. We are simply looking for a solution that will be able to message tracking logs. So far both examples appear incorrect.
Missing ; at end.
Exec to_syslog_snare();
This part comes from the included
include %CONFDIR%\log4ensics.conf
I was able to get the config working with the CE edition that you provided. I am going to uninstall the CE edition and try testing with the Enterprise edition of the software. Are there any other benefits of the enterprise edition other than the built in W3 parser?\
Thank you
Many :)
https://nxlog.co/products/additional-features-nxlog-enterprise-edition