4
responses

Hello,

I am evaluating NXLog using the Community Edition. I created input as shown below to monitor certain Windows events and forward them via email. Everything is working as expected except that $Message or $raw_event variables always return word "true" instead of actual details about the event. Is this a limitation of the CE or am I doing something else wrong? Many thanks in advance for your assistance.

<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[Provider[@Name='Symantec AntiVirus' or @Name='Symantec Network Protection']]]</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
exec("c:/utils/mailsend.exe", "-to", "info@****.com", "-body", $raw_event, "-subject", "Symantec EPP Alert");
</Exec>
</Input>

AskedSeptember 26, 2019 - 7:14pm

Answer (1)

I have a feeling true comes from somewhere else as it's unlikely that nxlog is putting that value into the argument list. I think you also need to quote it:

... , '"' + $raw_event + '"', ...

Comments (3)

  • c9482's picture

    Thank you for your answer - you are absolutely right. However changing my exec statement as follows...

    exec("c:/utils/MailSend.exe", "-to", "info@****.com", "-body", '"'$raw_event'"', "-subject", "Symantec EPP Alert");

    ... results in:

    ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:60; couldn't parse statement at line 61, character 95 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error, unexpected TOKEN_STRING, expecting )