Cannot extract data from regex? All variables are always empty
Hello I'm trying to send Windows DNS logs through NXLog, but i'm having a problem. I followed the documentation and ended up with the following config file.
Events seem to match the regex, but then i can't seem to use any of the named group names ($Date, $QuestionName, ... any). I tried to log_info(); but it always shows up as an empty string in the log file :
- This: log_info('q is ' + $QuestionName);
- Shows up in logs as "q is" (and nothing else)
Anyone knows what i'm doing wrong ? I don't see "no match" in my logfile so i guess events always match the EVENT_REGEX.
Been struggling with this for 24 hours .. even tried unnamed capture groups but also the $0, $1... always show empty.
(config file also at https://pastebin.com/s4CaJg9k in case of problems)
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
Example data :
#14-09-19 09:20:39 0B64 PACKET 0000005487B8E130 UDP Rcv 172.30.2.30 486a Q [0001 D NOERROR] AAAA (7)outlook(9)office365(3)com(8)transfer(2)be(0) #14-09-19 09:20:39 0B60 PACKET 0000005487FAC120 UDP Rcv 172.30.1.38 9b88 Q [0001 D NOERROR] AAAA (7)outlook(9)office365(3)com(0)
define EVENT_REGEX /(?x)(?<Date>\d+(?:-\d+){2})\s (?<Time>\d+(?::\d+){2})\s (?<ThreadId>\w+)\s+ (?<Context>\w+)\s+ (?<InternalPacketIdentifier>[[:xdigit:]]+)\s+ (?<Protocol>\w+)\s+ (?<SendReceiveIndicator>\w+)\s (?<RemoteIP>[[:xdigit:].:]+)\s+ (?<Xid>[[:xdigit:]]+)\s (?<QueryType>\s|R)\s (?<Opcode>[A-Z]|?)\s (?<QFlags>[(.?)])\s+ (?<QuestionType>\w+)\s+ (?<QuestionName>.)/ define EMPTY_EVENT_REGEX /(^$|^\s+$)/ define DOMAIN_REGEX /(\d+)([\w-]+)(\d+)([\w-]+)/ define SUBDOMAIN_REGEX /(\d+)([\w-]+)(\d+)([\w-]+)(\d+)(\w+)/ define NOT_STARTING_WITH_DATE_REGEX /^(?!\d+-\d+-\d+).+/ define QFLAGS_REGEX /(?x)(?<FlagsHex>\d+)\s+ (?<FlagsCharCodes>\s+|([A-Z]{2}|[A-Z]))\s+ (?<ResponseCode>\w+)/
<Extension _json> Module xm_json </Extension>
<Input in> Module im_file File 'C:\dnslog\dns.log' <Exec> # Drop entries that have empty lines if $raw_event =~ %EMPTY_EVENT_REGEX% drop(); # Drop entries not starting with date if $raw_event =~ %NOT_STARTING_WITH_DATE_REGEX% drop(); # Split entries into fields & define regular entries if $raw_event =~ %EVENT_REGEX% { $Regular = TRUE; #$EventTime = parsedate($Date + " " + $Time); $Raw = $raw_event; #delete($date); #delete($time); if $FlagsCharCodes =~ /^\s+$/ delete($FlagsCharCodes ); # Convert domains from (8)mydomain(1)com to mydomain.com if $QuestionName =~ %DOMAIN_REGEX% $QuestionName = $1 + "." + $2; # Convert domains from (8)sub(8)mydomain(1)com to sub.mydomain.com if $QuestionName =~ %SUBDOMAIN_REGEX% $QuestionName = $1 + "." + $2 + "." +$3;
# Set query flags
if $QFlags =~ %QFLAGS_REGEX% delete($QFlags);
# Set the query type
if $QueryType =~ %EMPTY_EVENT_REGEX% $QueryType = "query";
else $QueryType = "response";
log_info('q is ' + $QuestionName);
}
else
{
$Regular = FALSE;
$Raw = $raw_event;
log_info("no match");
}
</Exec>
</Input>
<Output out> Module om_file Exec to_json(); File 'C:\output-dns-traffic.json' </Output>
<Route r1> path in => out </Route>
It seems i can only use/read/log specifically set variables ($Raw, $raw_event, $QueryType). None of the group names in the regex ($Date, $Time, $QuestionName) can be used at all.. yet it seems the regex matches the ~=, as shown by the log_info statements that get logged.
I must be missing something simple.
