We are using NXLog to relay logs from ModSecurity to AlienVault. The transfer is working but NXLog is adding time and date to the beginning of every line. This is stopping AlienVault from processing the data properly. Is there a way for us to stop NXLog from modifying the sent logs?
Comments (5)
nxlog does not modify the raw data unless it is explicitly told to do so, e.g. via
Exec to_syslog_bsd();. It's hard to tell why without knowing what you have in your nxlog.conf .See below for a copy of nxlog.conf.
########################################
# Global directives #
########################################
User nxlog
Group nxlog
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
########################################
# Modules #
########################################
<Extension _syslog>
Module xm_syslog
</Extension>
#<Extension ModSecurity_parser>
# Module xm_multiline
# Headerline /---([a-zA-Z0-9]{8})---A--/
#</Extension>
<Input modsecurity>
Module im_file
File "/var/log/modsec_audit.log"
# InputType ModSecurity_parser
</Input>
<Output modsecurity_logs>
Module om_udp
Host 10.254.16.121
Port 514
</Output>
########################################
# Routes #
########################################
<Route 1>
Path modsecurity => modsecurity_logs
</Route>
Mar 29 11:39:01 ---Gbenr0sW---D--
Above is an example line of the raw data in AlienVault and AlienVault's documentation states raw data is never modified for auditing purposes. The ModSecurity log does not have the Date and Time. It appears NXLog is adding this. The host IP is also included with the Date and Time on lines that include data.
I doubt that. Feel free to check the udp packet contents with wireshark.
After further checking, turns out its not NXlog. It was shipping the log properly.