10
responses

I was trying to convert JSON to syslog, okta logs are the source of JSON, but couldn't convert okta logs to syslogs and copy the converted logs to a .txt file as I was getting this:
Module in2 got EOF from C:\Users\user\output.txt
DEBUG got EOF for C:\Users\user\output.txt.
Please help me in resolving this.
My nxlog config file:

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
NoCache TRUE
LogLevel DEBUG

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input in2>
Module im_file
File 'C:\Users\user\output.txt'
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
Exec $Message = $to_json; $SyslogFacilityValue = 22;
</Input>

<Output out>
Module om_file
File 'C:\syslog\Sysoutput.txt'
Exec to_syslog_bsd();
</Output>

<Route r>
Path in2 => out
</Route>

AskedMarch 19, 2019 - 10:01pm

Answers (2)

DEBUG got EOF for C:\Users\user\output.txt.

This just means it has run out of lines to read.

For Input in2, is this file ever appended to or is it as big as it is going to be? What I am getting at is NXLog only pulls events that are added to the file after we start to watch the file by default.
If what you are wanting is to read historical data, then you will want to change SavePos and ReadFromLast to False. Otherwise you will just need to wait for new lines to be added.

Are you actually getting JSON out? Without parsing something to get the fields, you probably don't have $Messages.
The $to_json; part should also be to_json();.

Your nxlog.log file should show you the errors, I would definitely suggest reading through that log first when things aren't working.

Comments (4)

  • Divya's picture

    I have set SavePos and ReadFromLast to false and changed $to_json to to_json() and yet the output doesn't have any data and nxlog.log file doesn't have any error messages too. My input file is .txt file that has a valid json content in it, but it isn't formatted it's all in a single line, which I want to convert to syslog format and store in an output file.

  • Zhengshi's picture
    (NXLog)

    If the content is currently JSON, then you do not need to convert it to_json(). You likely want to parse_json() instead.
    If you can post an example Input event this would be easier. Just a line or two out of the source file could be sufficient.

  • Divya's picture

    This is sample data: [{"actor":{"id":"1","type":"User","alternateId":"user@domain.com","displayName":"user","detailEntry":null},"client":{"userAgent":{"rawUserAgent":"unknown","os":"unknown","browser":"unknown"},"zone":"null","device":"unknown","id":null,"ipAddress":"00.00.00.00","geographicalContext":{"city":"city","state":"state","country":"country","postalCode":"00000","geolocation":{"lat":"00.000","lon":"00.000"}}}}]

In case it may help, we do have a solution to pull logs from Okta and forward it as syslog. See here for more information.

Comments (4)

  • Divya's picture

    I am having a problem with getting output in syslog format This is how I am getting the output, is their anything that you could help me with:
    <13>Mar 22 10:16:53 LAPTOP [
    <13>Dec 31 17:00:00 LAPTOP {
    <13>Dec 31 17:00:00 LAPTOP "actor":{
    <13>Dec 31 17:00:00 LAPTOP "id":"00",
    <13>Dec 31 17:00:00 LAPTOP "type":"User",
    <13>Dec 31 17:00:00 LAPTOP"alternateId":"user.domain.com",
    <13>Dec 31 17:00:00 LAPTOP "displayName":"user",
    <13>Dec 31 17:00:00 LAPTOP "detailEntry":null

  • Zhengshi's picture
    (NXLog)

    It looks like your source file has the entries expanded into multiple lines? The initial sample was shown on one line though.
    If they are spanning multiple lines, you could use xm_multiline to group them into a single event.

  • Divya's picture

    Thanks, Zhengshi for the help, I wasn't able to get any syslogs if put the source entirely in one line, so I changed it to multiline. What I can I change in the code, if I have multiple events in a single line