1
answer

Hi,
I have the following windows log message which i am trying to parse and remove the \r,\t and \n from the log. with i am using i am unable to parse it and it still shows me the log content as is?

input:
ACBDEFG 12/03/2015 09:05:13 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4672\r\nEventType=0\r\nType=Information\r\nComputerName=VDEEXCP01.teckcominco.loc\r\nTaskCategory=Special Logon\r\nOpCode=Info\r\nRecordNumber=3259542776\r\nKeywords=Audit Success\r\nMessage=msg_somethinh.\r\r\n\r\r\nSubject:\r\r\n\tSecurity ID:\t\tABCDEFFHG-12345\r\r\n\tAccount Name:\t\ABEDCEDDDD$\r\r\n\tAccount Domain:\t\tABCXDDFFEEFFFF\r\r\n\tLogon ID:\t\t98665svdvdvdv\r\r\n\r\r\nPrivileges:\t\tSeSecurityPrivilege\r\r\n\t\t\tSeBackupPrivilege\r\r\n\t\t\tSeRestorePrivilege\r\r\n\t\t\tSeTakeOwnershipPrivilege\r\r\n\t\t\tSeDebugPrivilege\r\r\n\t\t\tSeSystemEnvironmentPrivilege\r\r\n\t\t\tSeLoadDriverPrivilege\r\r\n\t\t\tSeImpersonatePrivilege\r\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege

output:
ACBDEFG 12/03/2018 10:15:13 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4672\r\nEventType=0\r\nType=Information\r\nComputerName=VDEEXCP01.teckcominco.loc\r\nTaskCategory=Special Logon\r\nOpCode=Info\r\nRecordNumber=3259542776\r\nKeywords=Audit Success\r\nMessage=msg_somethinh.\r\r\n\r\r\nSubject:\r\r\n\tSecurity ID:\t\tABCDEFFHG-12345\r\r\n\tAccount Name:\t\ABEDCEDDDD$\r\r\n\tAccount Domain:\t\tABCXDDFFEEFFFF\r\r\n\tLogon ID:\t\t98665svdvdvdv\r\r\n\r\r\nPrivileges:\t\tSeSecurityPrivilege\r\r\n\t\t\tSeBackupPrivilege\r\r\n\t\t\tSeRestorePrivilege\r\r\n\t\t\tSeTakeOwnershipPrivilege\r\r\n\t\t\tSeDebugPrivilege\r\r\n\t\t\tSeSystemEnvironmentPrivilege\r\r\n\t\t\tSeLoadDriverPrivilege\r\r\n\t\t\tSeImpersonatePrivilege\r\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege

I am using the community edition and trying out to parse using the following configuration of nxlog. can you please suggest any changes needed in the conf?
# Global section
User nxlog
Group nxlog
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
#Extension section
<Extension multi>
Module xm_multiline
HeaderLine /^================/
EndLine /^---------------/
</Extension>
# Modules section
<Input in>
Module im_tcp
HOST 0.0.0.0
Port 1532
#InputType multi
# Remove the boundary markers
Exec if $raw_event =~ s/========[=]+//g {}
# Make a single line
Exec if $raw_event =~ s/[\r\n]/ /g {}
#remove the end directive
Exec if $raw_event =~ s/--------[-]+//g {}
Exec if $raw_event =~ /^ *$/ drop();
Exec $raw_event = replace($raw_event, "\t", " ");
</Input>
<Output out>
Module om_file
File '/tmp/output'
#Exec $raw_event = "--------------------------------------\n" + $raw_event;
</Output>

# Route section
<Route r>
Path in => out
</Route>

AskedFebruary 12, 2019 - 3:25am

Answer (1)

The issue is that these are not single characters of a newline (\n) and tabs (\t) but in fact two characters {\) and (n).
Add an extra slash and you should be good. I changed the line with \r and \n to use an OR structure as well.

    Exec if $raw_event =~ s/\\r|\\n/ /g {}
#remove the end directive
    Exec if $raw_event =~ s/--------[-]+//g {}
    Exec if $raw_event =~ /^ *$/ drop();
    Exec $raw_event = replace($raw_event, "\\t", " ");
AnsweredFebruary 12, 2019 - 3:48pm