2
responses

I'm trying to use the NXLog to Transfer my MS Exchange Server Transport Logs to an Elastic Search Server.
I added the follwing config to the nxlog.conf File:

define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

<Input in_exchange>
Module im_file
File '%BASEDIR%\MSGTRK????????*-*.LOG' # Exports all logs in Directory
SavePos TRUE
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
</Input>

<Output out_exchange>
Module om_udp
Host <IP of Elastic Search Server>
Port <Port of the Elasioc Search Server>
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'exchange_msgtrk_log';
Exec to_syslog_bsd();
</Output>

<Route exchange>
Path in_exchange => out_exchange
</Route>

When I start the nxlog Service it states in the log:
INFO nxlog-ce-2.10.2150 started

I don't get any information on the ElasticSearch Server.
In the Wireshark I don't see any UDP packet and so I guess the NXLOg Service don't do anything.

Are there any more inormation or debugging logs to use?

Thanks for any hint

Michael

AskedJanuary 3, 2019 - 10:32am

Answer (1)

Your configuration does not appear to be incorrect.

You can generate additional log messages in nxlog log file. Please see here. I would recommend adding a log_info() procedure to your input module in_exchange similar to below:

<Input in_exchange>
Module im_file
File '%BASEDIR%\MSGTRK????????*-*.LOG' # Exports all logs in Directory
SavePos TRUE
Exec log_info("raw_event [" + $raw_event + "]");
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
</Input>

This would allow you to test and verify that your input module is collecting the desired events.

Comments (1)

  • michaelb's picture

    That did the trick, I see now what Events are collecting and I see now the udp packet on the network.
    It came out, that a firewaal rule is Blocking the packets.
    Thanks for your help.
    highly appreciated