How to replace the Host IP in the output section by a variable or a regex?

Post a different question
3
responses

Hello,
I'm both new here and new at nxlog so excuse my question if it sounds awkward.
I'm trying to configure nxlog for an environment with multiple intermediary loghosts which have different IP addresses.
The only pattern is that the machine that is sending the log and the loghost always have a similar first three octets (same subnet).
So the computer 192.168.0.10 will send logs to 192.168.0.100
and the computer 10.10.10.30 will send its logs to 10.10.10.100.
The last octet of all loghosts are similar as well.

My goal is to be able to call the computer IP with HostIP, match it with a regex [0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3} and transform it to $1.$2.$3.100 which will be the loghost IP.
My output module may look like this:

<Output loghost>
Module om_udp
Host $loghost
Port 514
</output>

Why am I doing this? I'm deploying nxlog via GPO and wanted to send a single nxlog.conf to all the domain computers which will find the corresponding loghost based on their own IP.

At this time, none of my attempts to add a regex to an Exec directive in the output module were successful.
If any one had come across the need for adding a variable as Host or similar issue, I will appreciate your help.
Any other directions are much appreciated.

Thank you,
Mikal

AskedJune 19, 2019 - 9:11pm

Answer (1)

Mikal, I think the issue you are running into is that you can not update those directives with a field, only defines. That is to say Host $ip won't work, but Host %IP% will. In NXLog EE, there are a couple ways you could get this to work, but they would both require a script run on the box at execution time.

Pulling in Environment Variables:
You could write a script that runs on your servers that sets an environment variable for your loghost based on the server IP.
https://nxlog.co/documentation/nxlog-user-guide-full#config_overview_envvar

envvar IP

<Output loghost>
    Module  om_udp
    Host    %IP%
    Port    514
</Output>

Using a script to populate directives with include_stdout:
You would write a script that does this calculation for you and then outputs where the include is.

See this example for inputting File directive.
https://nxlog.co/documentation/nxlog-user-guide-full#iis_automatic_retrieval

Another solution could be to create an Output for each Loghost you are wanting to send to and adding some code that will match the IP needed and drop it. Note: This code has not been tested.

<Extension _resolver>
    Module      xm_resolver
</Extension>
<Output loghost_192_168_0_100>
    Module  om_udp
    Host    192.168.0.100
    Port    514
    Exec   if name_to_ipaddr($Hostname) !~ /^192\.168\.0\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-4]))$/ drop();
</Output>

Your route would then include all outputs.
Path in=>loghost1,loghost2,loghost3

AnsweredJune 20, 2019 - 4:26pm

Comments (2)

  • mikal's picture

    Hello,

    I finally found a way out.
    I used the Include directive to read the host configuration from a separate file.
    An external script is used to retrieve the local IP and replace the last octet as I wanted, and write the result to that file.
    My final Output module looks like this:

    <Output loghost>

    Module om_udp
    # The include below requires loghost.txt generated from an external script
    Include %ROOT%\\conf\\loghost.txt
    Port 514

    </Output>

    Thank you.

    July 1, 2019 - 5:00pm