1
response

i want to send my atp log to syslog server with the help of nxlog . i am storing atplog to atp.log file and the data is in json format.

I am using below configuration but i am not getting anything on my syslog server which is AV.

configuration:
# Configuration for converting and sending Windows logs
# to AlienVault USM Anywhere.
#

define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS 10.0.2.4
define OUTPUT_DESTINATION_PORT 514

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>
<input atplogfile>
Module im_atplogfile
</input>

<Input ATPLogs_IN>
Module im_atplogfile
File "C:\\temp\\log\\atplogs-*.log"
Exec $Message = to_json(); to_syslog_bsd();
</Input>

<Output ATPLogs_OUT>
Module om_atplogfile
File "/var/log/nxlog/syslog.log"
Exec to_syslog_bsd();
</Output>

########################################
# Routes #
########################################
<Route 1>
Path ATPLogs_IN => ATPLogs_OUT
</Route>

<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
</Input>

<Output out>

Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000000;
Exec $Message = to_json(); to_syslog_bsd();

</Output>

<Route 1>
Path eventlog, internal => out
</Route>

AskedFebruary 22, 2019 - 1:14am

Answer (1)

If the data is already in JSON you should get rid of Exec $Message = to_json(); to_syslog_bsd(); in ATPLogs_IN. Note that since the conversion is already done in the output instance, invoking to_syslog_bsd() is not needed there.