1
answer

Hi,
I’m trying to use regex in nxlog.
My current configuration is to save firewall logs to a file .txt using the $Sender value to create the file name.

.......

<Input *****>
Module im_tcp
Host 0.0.0.0
Port 1001
<Exec>
if $raw_event =~ /LEEF/
parse_leef();
else
parse_syslog();
</Exec>
</Input>

.......

<Output *********>
define OUT_DIR %LOGDIR2%/*********
Module om_file
File "%OUT_DIR%/" + $Sender + ".txt"
<Schedule>
Every 3600 sec
<Exec>
if *********->file_size() > 0M
{
set_var('newfile', file_name() + strftime(now(), '_%Y%m%d%H%M%S') + '.log');
rotate_to(get_var('newfile'));
exec_async('C:/Program Files/GnuWin32/bin/bzip2.exe', 'E:/*********/ *.log');
}
</Exec>
</Schedule>
</Output>

.........

This is the Log:
<13>Sep 4 16:07:23 Firewall: LEEF:1.0|FORCEPOINT|Firewall|1.1.1|Connection_Discarded|src=122.1.1.1 EventReceivedTime=2019-09-04 16:07:23 SourceModuleName=****** SourceModuleType=im_tcp LEEFVersion=<1> LEEF:0.0 Vendor=FORCEPOINT vSrcName=Firewall Version=1.1.1 EventID=Connection_Discarded devTimeFormat=MMM dd yyyy HH:mm:ss devTime=2019-09-04 16:07:23 proto=1 dstPort=80 srcPort=53438 dst=192.1.1.1 sender=services.fw.mi01.custom.cloud node 1 action=Discard

the system sets the value of $Sender like this:
$Sender = services.fw.mi01.custom.cloud node 1 action=Discard.txt

but I need instead the system to set $Sender this way, only up to "node 1":
$Sender = services.fw.mi01.custom.cloud node 1.txt

I thought about using a regex to extrapolate the value I need, but it doesn’t work.
this one:
<Exec>
if $Sender =~ /(?<=sender=).[^\t]+/g;
$Sender = $1
</Exec>

Can I do this thing?
If so, what should I do?

Thank you
Antonio

AskedSeptember 4, 2019 - 5:36pm

Answer (1)

What version of NXLog are you using? I used NXLog EE v4.5.4503 to test this quickly and received the following:

2019-09-04 12:08:39 INFO nxlog-4.5.4503 started
2019-09-04 12:08:39 INFO Sender: services.fw.mi01.custom.cloud node 1
2019-09-04 12:08:39 INFO {"EventReceivedTime":"2019-09-04 16:07:23","SourceModuleName":"****** SourceModuleType=im_tcp","SourceModuleType":"im_file","Hostname":"Firewall:","LEEFVersion":"<1> LEEF:0.0","Vendor":"FORCEPOINT","SourceName":"Firewall","Version":"1.1.1","EventID":"Connection_Discarded","MessageSourceAddress":"122.1.1.1","devTimeFormat":"MMM dd yyyy HH:mm:ss","EventTime":"2019-09-04T16:07:23.000000-04:00","proto":"1","dstPort":80,"srcPort":53438,"dst":"192.1.1.1","sender":"services.fw.mi01.custom.cloud node 1","action":"Discard"}

Note that I used JSON to see the fields, and it looks like sender is set appropriately unless you were wanting to remove the node 1 part from the field?.

Conf I used:

<Input in> 
    Module im_file
    File '/opt/nxlog/etc/leef.log'
    ReadFromLast False
    SavePos False
    <Exec>
        if $raw_event =~ /LEEF/
        parse_leef();
        else
        parse_syslog();
    to_json(); log_info("Sender: " + $sender);log_info($raw_event);
    </Exec>
</Input>
<Output out> 
    define OUT_DIR /tmp/
    Module om_file
    File "%OUT_DIR%/" + $Sender + ".txt"
</Output>
AnsweredSeptember 4, 2019 - 6:10pm

Comments (2)

  • nembosec's picture

    I ran the same tests you did, and everything works fine.
    the $Sender field is just like yours.
    My txt files are saved with the correct name:
    -> services.fw.mi01.custom.cloud node 1.txt

    but I don’t understand why he makes this ERROR:

    -> 2019-09-04 17:56:29 ERROR failed to open E://*****/services.fw.mi01.custom.cloud node 1 action=Discard.txt; The filename, directory name, or volume label syntax is incorrect.

    September 4, 2019 - 6:55pm
  • b0ti's picture
    (NXLog)

    You need to correct the path:
    E://*****/services.fw.mi01.custom.cloud node 1 action=Discard.txt

    September 10, 2019 - 8:50am