responses
Hi, I am trying out nxlog (versus running a linux VM for syslog collection) and I my configuration works.
However, the nxlog file does not include the date time for each log entry.
I have experimented with bsd versus item with no change in result.
I read the manual but I am not seeing why nxlog would strip the date time form the received log message.
I am trying to figure out how to retain the date time values for each log line.
My config;
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Input udp>
Module im_udp
Host 0.0.0.0
Port 514
Exec parse_syslog();
</Input>
<Output file>
Module om_file
File 'E:\smb\kam\syslog.txt'
<Exec>
if file->file_size() > 15M
{
$newfile = 'E:\smb\kam\syslog.old' + "." +
strftime(now(), "%Y%m%d%H%M%S");
file->rotate_to($newfile);
}
</Exec>
</Output>
<Route syslog_to_file>
Path udp => file
</Route>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
My nxlog file output with redactions <snip>;
PS E:\smb\kam> gc -tail 5 .\syslog.txt
<173>ulogd[869]: Blocked IN=eth1 OUT= MAC=<snip> SRC=185.153.<snip> DST=98.114.<snip> LEN=40 TOS=08 PREC=0x20 TTL=237 ID=4147 PROTO=TCP SPT=44338 DPT=23 SEQ=1112406427 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0
Same syslog output from linux VM with redactions <snip>;
[root@penguin kam]# tail messages.txt
Feb 13 23:59:19 -05:00 ulogd[869]: Blocked IN=eth1 OUT= MAC=<snip> 184.105.<snip> 98.114.<snip> 40 00 0x00 247 54321 TCP 35457 30005 2026363779 0 65535 SYN
Comments (1)
Thank you Zhengshi, I did not think about being able to view the source.