NXLog and MS Exchange Server Transport Logs

#1 michaelb 5 years ago

I'm trying to use the NXLog to Transfer my MS Exchange Server Transport Logs to an Elastic Search Server. I added the follwing config to the nxlog.conf File:

define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

<Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK????????-.LOG' # Exports all logs in Directory SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input>

<Output out_exchange> Module om_udp Host <IP of Elastic Search Server> Port <Port of the Elasioc Search Server> Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output>

<Route exchange> Path in_exchange => out_exchange </Route>

When I start the nxlog Service it states in the log: INFO nxlog-ce-2.10.2150 started

I don't get any information on the ElasticSearch Server. In the Wireshark I don't see any UDP packet and so I guess the NXLOg Service don't do anything.

Are there any more inormation or debugging logs to use?

Thanks for any hint

Michael

Permalink

#2 camharrisDeactivated Nxlog ✓ 5 years ago

#1 michaelb

I'm trying to use the NXLog to Transfer my MS Exchange Server Transport Logs to an Elastic Search Server. I added the follwing config to the nxlog.conf File: define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking <Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK????????-.LOG' # Exports all logs in Directory SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input> <Output out_exchange> Module om_udp Host <IP of Elastic Search Server> Port <Port of the Elasioc Search Server> Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output> <Route exchange> Path in_exchange => out_exchange </Route> When I start the nxlog Service it states in the log: INFO nxlog-ce-2.10.2150 started I don't get any information on the ElasticSearch Server. In the Wireshark I don't see any UDP packet and so I guess the NXLOg Service don't do anything. Are there any more inormation or debugging logs to use? Thanks for any hint Michael

Your configuration does not appear to be incorrect.

You can generate additional log messages in nxlog log file. Please see here. I would recommend adding a log_info() procedure to your input module in_exchange similar to below:

<Input in_exchange>
Module im_file
File '%BASEDIR%\MSGTRK????????*-*.LOG' # Exports all logs in Directory
SavePos TRUE
Exec log_info("raw_event [" + $raw_event + "]");
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
</Input>

This would allow you to test and verify that your input module is collecting the desired events.