windows mutline event log not being parsed by nxlog

Tags: nxlog multiline issue

#1 gowthamkaruturi 6 years ago

Hi, I have the following windows log message which i am trying to parse and remove the \r,\t and \n from the log. with i am using i am unable to parse it and it still shows me the log content as is?

input: ACBDEFG 12/03/2015 09:05:13 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4672\r\nEventType=0\r\nType=Information\r\nComputerName=VDEEXCP01.teckcominco.loc\r\nTaskCategory=Special Logon\r\nOpCode=Info\r\nRecordNumber=3259542776\r\nKeywords=Audit Success\r\nMessage=msg_somethinh.\r\r\n\r\r\nSubject:\r\r\n\tSecurity ID:\t\tABCDEFFHG-12345\r\r\n\tAccount Name:\t\ABEDCEDDDD$\r\r\n\tAccount Domain:\t\tABCXDDFFEEFFFF\r\r\n\tLogon ID:\t\t98665svdvdvdv\r\r\n\r\r\nPrivileges:\t\tSeSecurityPrivilege\r\r\n\t\t\tSeBackupPrivilege\r\r\n\t\t\tSeRestorePrivilege\r\r\n\t\t\tSeTakeOwnershipPrivilege\r\r\n\t\t\tSeDebugPrivilege\r\r\n\t\t\tSeSystemEnvironmentPrivilege\r\r\n\t\t\tSeLoadDriverPrivilege\r\r\n\t\t\tSeImpersonatePrivilege\r\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege

output: ACBDEFG 12/03/2018 10:15:13 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4672\r\nEventType=0\r\nType=Information\r\nComputerName=VDEEXCP01.teckcominco.loc\r\nTaskCategory=Special Logon\r\nOpCode=Info\r\nRecordNumber=3259542776\r\nKeywords=Audit Success\r\nMessage=msg_somethinh.\r\r\n\r\r\nSubject:\r\r\n\tSecurity ID:\t\tABCDEFFHG-12345\r\r\n\tAccount Name:\t\ABEDCEDDDD$\r\r\n\tAccount Domain:\t\tABCXDDFFEEFFFF\r\r\n\tLogon ID:\t\t98665svdvdvdv\r\r\n\r\r\nPrivileges:\t\tSeSecurityPrivilege\r\r\n\t\t\tSeBackupPrivilege\r\r\n\t\t\tSeRestorePrivilege\r\r\n\t\t\tSeTakeOwnershipPrivilege\r\r\n\t\t\tSeDebugPrivilege\r\r\n\t\t\tSeSystemEnvironmentPrivilege\r\r\n\t\t\tSeLoadDriverPrivilege\r\r\n\t\t\tSeImpersonatePrivilege\r\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege

I am using the community edition and trying out to parse using the following configuration of nxlog. can you please suggest any changes needed in the conf?

Global section

User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO #Extension section <Extension multi> Module xm_multiline HeaderLine /^================/ EndLine /^---------------/ </Extension>

Modules section

<Input in> Module im_tcp HOST 0.0.0.0 Port 1532
#InputType multi # Remove the boundary markers Exec if $raw_event =~ s/========[=]+//g {}

Make a single line

            Exec if $raw_event =~ s/[\r\n]/ /g {}
              #remove the end directive
Exec        if $raw_event =~ s/--------[-]+//g {}
Exec  if $raw_event =~ /^ *$/ drop();
Exec        $raw_event = replace($raw_event, &quot;\t&quot;, &quot; &quot;);

</Input> <Output out> Module om_file File '/tmp/output' #Exec $raw_event = "--------------------------------------\n" + $raw_event; </Output>

Route section

Permalink

#2 Zhengshi Nxlog ✓ 6 years ago

#1 gowthamkaruturi

Hi, I have the following windows log message which i am trying to parse and remove the \r,\t and \n from the log. with i am using i am unable to parse it and it still shows me the log content as is? input: ACBDEFG 12/03/2015 09:05:13 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4672\r\nEventType=0\r\nType=Information\r\nComputerName=VDEEXCP01.teckcominco.loc\r\nTaskCategory=Special Logon\r\nOpCode=Info\r\nRecordNumber=3259542776\r\nKeywords=Audit Success\r\nMessage=msg_somethinh.\r\r\n\r\r\nSubject:\r\r\n\tSecurity ID:\t\tABCDEFFHG-12345\r\r\n\tAccount Name:\t\ABEDCEDDDD$\r\r\n\tAccount Domain:\t\tABCXDDFFEEFFFF\r\r\n\tLogon ID:\t\t98665svdvdvdv\r\r\n\r\r\nPrivileges:\t\tSeSecurityPrivilege\r\r\n\t\t\tSeBackupPrivilege\r\r\n\t\t\tSeRestorePrivilege\r\r\n\t\t\tSeTakeOwnershipPrivilege\r\r\n\t\t\tSeDebugPrivilege\r\r\n\t\t\tSeSystemEnvironmentPrivilege\r\r\n\t\t\tSeLoadDriverPrivilege\r\r\n\t\t\tSeImpersonatePrivilege\r\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege output: ACBDEFG 12/03/2018 10:15:13 AM\r\nLogName=Security\r\nSourceName=Microsoft Windows security auditing.\r\nEventCode=4672\r\nEventType=0\r\nType=Information\r\nComputerName=VDEEXCP01.teckcominco.loc\r\nTaskCategory=Special Logon\r\nOpCode=Info\r\nRecordNumber=3259542776\r\nKeywords=Audit Success\r\nMessage=msg_somethinh.\r\r\n\r\r\nSubject:\r\r\n\tSecurity ID:\t\tABCDEFFHG-12345\r\r\n\tAccount Name:\t\ABEDCEDDDD$\r\r\n\tAccount Domain:\t\tABCXDDFFEEFFFF\r\r\n\tLogon ID:\t\t98665svdvdvdv\r\r\n\r\r\nPrivileges:\t\tSeSecurityPrivilege\r\r\n\t\t\tSeBackupPrivilege\r\r\n\t\t\tSeRestorePrivilege\r\r\n\t\t\tSeTakeOwnershipPrivilege\r\r\n\t\t\tSeDebugPrivilege\r\r\n\t\t\tSeSystemEnvironmentPrivilege\r\r\n\t\t\tSeLoadDriverPrivilege\r\r\n\t\t\tSeImpersonatePrivilege\r\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege I am using the community edition and trying out to parse using the following configuration of nxlog. can you please suggest any changes needed in the conf? Global section User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO #Extension section <Extension multi> Module xm_multiline HeaderLine /^================/ EndLine /^---------------/ </Extension> Modules section <Input in> Module im_tcp HOST 0.0.0.0 Port 1532 #InputType multi # Remove the boundary markers Exec if $raw_event =~ s/========[=]+//g {} Make a single line Exec if $raw_event =~ s/[\r\n]/ /g {} #remove the end directive Exec if $raw_event =~ s/--------[-]+//g {} Exec if $raw_event =~ /^ *$/ drop(); Exec $raw_event = replace($raw_event, "\t", " "); </Input> <Output out> Module om_file File '/tmp/output' #Exec $raw_event = "--------------------------------------\n" + $raw_event; </Output> Route section <Route r> Path in => out </Route>

The issue is that these are not single characters of a newline (\n) and tabs (\t) but in fact two characters {\) and (n).
Add an extra slash and you should be good. I changed the line with \r and \n to use an OR structure as well.

    Exec if $raw_event =~ s/\\r|\\n/ /g {}
#remove the end directive
    Exec if $raw_event =~ s/--------[-]+//g {}
    Exec if $raw_event =~ /^ *$/ drop();
    Exec $raw_event = replace($raw_event, "\\t", " ");