Add information from one event to another.

6
responses

DDGH

Hello!
I've been fighting for a week, but the ideas have ended. When you delete files, Windows generates 2 Events 4663 then 4660. In EventID:4663 there is a file name, in EventID:4660 there is a result. The Marker can use the EventRecordID, which will differ by 1 for these two events. The idea with the help pm_evcorr add in EventID:4663 field from EventID:4660. As far as I understood, the design should be this:
1. EventID:4663 arrives
2. If EventID:4660 arrives within 2 seconds and in it EventRecordID greater by 1, then
3. We drop the ObjectName from the event 4663 into event 4660.
User guides tell us that the design should be of the form

  <Pair>
    # If TriggerCondition is true, wait Interval seconds for
    # RequiredCondition to be true and then do the Exec. If Interval is
    # 0, there is no window on matching.
    TriggerCondition    $Message =~ /^pair-first/
    RequiredCondition   $Message =~ /^pair-second/
    Interval            30
    Exec                $raw_event = "got pair";
    </Pair>

And

Exec $new_field = 'new field value';

But the problem is that it's absolutely certain that something (or rather everything) is not doing so

<Pair>
    # If TriggerCondition is true, wait Interval seconds for
    # RequiredCondition to be true and then do the Exec. If Interval is
    # 0, there is no window on matching.
    TriggerCondition    $EventID =4663
    RequiredCondition   $EventID =4660 and $EventRecordID = get_prev_event_data("EventRecordID" + 1);  - Here the main problem
    Interval            2
    Exec $FileName = get_prev_event_data("ObjectName");
    </Pair>

I will be very grateful for the help, the hint what to read or examples.

AskedSeptember 27, 2018 - 9:37am

b0ti

$EventID = 4663 is an assignment. $EventID == 4663 is a boolean condition check. I think you want to use the latter.

This one is also flawed:

$EventRecordID = get_prev_event_data("EventRecordID" + 1);

The following should be correct:

$EventRecordID == get_prev_event_data("EventRecordID") + 1

AnsweredSeptember 27, 2018 - 1:05pm

Leave a comment

Comments (5)

DDGH

Leave a comment

Thanks for the answer!
Something I still do wrong.

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>
<Extension gelf>
    Module xm_gelf
    </Extension>
<Input in>
    # For windows vista/2008 and above use:
    Module      im_msvistalog
Exec if $EventID not in (4663, 4660) drop(); 
    #   Module      im_mseventlog
</Input>
<Processor evcorr>
Module          pm_evcorr
<Pair>
    TriggerCondition    $EventID == 4663
    RequiredCondition   $EventID == 4660 AND $EventRecordID == get_prev_event_data("EventRecordID") + 1 
    Interval            2
    Exec $FileName = get_prev_event_data("ObjectName");
    </Pair>
</Processor>

<Output out> 
    Module      om_udp
    Host        log
    Port        5414
    OutputType  GELF
</Output>

<Route 1>
    Path        in => evcorr => out
</Route>

2018-09-27 18:16:50 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:62; couldn't parse statement at line 62, character 66 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; function 'get_prev_event_data()' does not exist or takes different arguments
2018-09-27 18:16:50 ERROR module 'evcorr' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:74
2018-09-27 18:16:50 WARNING not starting unused module evcorr

September 27, 2018 - 5:39pm

b0ti (NXLog)
Leave a comment
As far as I know get_prev_event_data() is a recent feature added to the NXLog Enterprise Edition and it is not yet available in the CE.

September 27, 2018 - 6:24pm

DDGH
Leave a comment
It is sad.
I understand correctly that by other means, besides this functional, the problem can not be solved?

September 27, 2018 - 9:12pm

b0ti (NXLog)
Leave a comment
You could possibly do it without pm_evcorr inside the im_msvistalog input instance:

if $EventID == 4663 { create_var(string($RecordNumber), 10); set_var(string($RecordNumber), $ObjectName); } else if $EventID == 4660 { $FileName = get_var(string($RecordNumber - 1)); }

This is untested but it should do what you need. Also note that EventID is only unique per Channel.
September 27, 2018 - 9:27pm

DDGH
Leave a comment
Unfortunately I went on a business trip immediately after your reply and did not have time to thank. Everything works great, thank you!

October 9, 2018 - 10:53am

You are here

Add information from one event to another.

Answer (1)

Comments (5)