Not getting parse multi-line XML file
Tags:
#1
pradumn
Below is my NXLOG configuration file to parse
define ROOT C:\Program Files (x86)\nxlog
<Extension gelf>
Module xm_gelf
</Extension>
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension multiline>
Module xm_multiline
HeaderLine /^<event>/
EndLine /^</event>/
</Extension>
<Extension xmlparser>
Module xm_xml
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input filein>
Module im_file
File "C:\\test\\server\\Azurion\\SoftwarePackage\\test.xml"
InputType multiline
<Exec>
# Discard everything that doesn't seem to be an xml event
if $raw_event !~ /^<event>/ drop();
# Parse the xml event
parse_xml();
#Rewrite some fields
$EventTime = parsedate($timestamp);
delete($timestamp);
delete($EventReceivedTime);
# Convert to JSON
to_json();
</Exec>
</Input>
<Output fileout>
Module om_file
File "C:\\Users\\320005935\\Desktop\\new.txt"
</Output>
<Route parse_xml>
Path filein => fileout
</Route>
This is my XML file
<?xml version="1.0" encoding="UTF-8"?>
<event>
<timestamp>2012-11-23 23:00:00</timestamp>
<severity>ERROR</severity>
<message>
Something bad happened.
Please check the system.
</message>
</event>
<event>
<timestamp>2012-11-23 23:00:12</timestamp>
<severity>INFO</severity>
<message>
System state is now back to normal.
</message>
</event>
#1
pradumn
Below is my NXLOG configuration file to parse
define ROOT C:\Program Files (x86)\nxlog
<Extension gelf>
Module xm_gelf
</Extension>
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension multiline>
Module xm_multiline
HeaderLine /^<event>/
EndLine /^</event>/
</Extension>
<Extension xmlparser>
Module xm_xml
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input filein>
Module im_file
File "C:\\test\\server\\Azurion\\SoftwarePackage\\test.xml"
InputType multiline
<Exec>
# Discard everything that doesn't seem to be an xml event
if $raw_event !~ /^<event>/ drop();
# Parse the xml event
parse_xml();
#Rewrite some fields
$EventTime = parsedate($timestamp);
delete($timestamp);
delete($EventReceivedTime);
# Convert to JSON
to_json();
</Exec>
</Input>
<Output fileout>
Module om_file
File "C:\\Users\\320005935\\Desktop\\new.txt"
</Output>
<Route parse_xml>
Path filein => fileout
</Route>
This is my XML file
<?xml version="1.0" encoding="UTF-8"?>
<event>
<timestamp>2012-11-23 23:00:00</timestamp>
<severity>ERROR</severity>
<message>
Something bad happened.
Please check the system.
</message>
</event>
<event>
<timestamp>2012-11-23 23:00:12</timestamp>
<severity>INFO</severity>
<message>
System state is now back to normal.
</message>
</event>
This all actually looks good. I ran your config just to verify and I received the following:
{"SourceModuleName":"filein","SourceModuleType":"im_file","severity":"ERROR","message":"\n Something bad happened.\n Please check the system.\n ","EventTime":"2012-11-23T23:00:00.000000-05:00"}
{"SourceModuleName":"filein","SourceModuleType":"im_file","severity":"INFO","message":"\n System state is now back to normal.\n ","EventTime":"2012-11-23T23:00:12.000000-05:00"}
Are you updating this file or is it a static file? If it is a static file, NXLog will not read portions that exist before the service is started by default. I added the following to the config to read the file from the start:
SavePos False
ReadFromLast False
You may want to do something about the newline characters though.
