responses
Hello Team,
I am new to Nxlog and we have a requirement to send below log file content to syslog server, fields will be same for every new log file.
Can you please help in writing conf file to send it to syslog.
Sample Log file.
OPSWAT - METADEFENDER KIOSK SCAN RESULTS
User ID: TRAININGLAB\syslog
Profile: Default
Session ID: 52CE90C9-73DC-4150-AE7F-1FDCFF933D3F
PROCESSING FINISHED SUCCESSFULLY
Process Start Time: 2019-09-21 16:09:36
Process Finish Time: 2019-09-21 16:10:55
MetaDefender Kiosk Version: 4.3.5.2010
MetaDefender Core Version: 4.16.2
Device Information
Manufacturer: (Standard disk drives)
Model: SanDisk Cruzer Blade USB Device
Serial Number: 4C530000260530107000
Device ID: USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.00\4C530000260530107000&0
Media Type: USB Device
Partition Count: 1
Partition Name: Disk #1, Partition #0
- Bootable: NO
Disk Usage: 39MB / 14GB
Scanning System: SYSTEM1
Full Media Scanned: NO
Full Media Processed: NO
Total Files Scanned: 7
Total Files Processed: 7
Blocked Files
No blocked files found
Blocked Actions Taken
- Sanitized: 0
- Quarantined: 0
- Deleted: 0
- Post Action Ran: 0
- Copied To Media: 0
- Copied To Directory: 0
- Copied To Vault Server: 0
- Moved To Media: 0
- Moved To Directory: 0
- Moved To Vault Server: 0
- Destination Media Wiped: NO
Allowed Actions Taken
- Sanitized: 0
- Post Action Ran: 0
- Copied To Media: 0
- Copied To Directory: 0
- Copied To Vault Server: 0
- Moved To Media: 0
- Moved To Directory: 0
- Moved To Vault Server: 0
- Destination Media Wiped: NO
Skipped Files: 0
Failed To Delete: 0
File Type Totals
application/octet-stream: 1
application/pdf: 2
application/x-dosexec: 2
text/plain: 2
_______________________________________________________________________
ALLOWED FILES
1. PATH: E:\New Text Document (6).txt
SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
-----------------------------------------------------------------------
2. PATH: E:\SanDiskSecureAccess\DownloadSanDiskSecureAccess_Mac.pdf
SHA-256: B2E01B65F369095428DB35D59A41FDB80A5B16F6C496D7420D814B63CC8EEDCB
-----------------------------------------------------------------------
3. PATH: E:\SanDiskSecureAccess\SanDisk_SecureAccess_QSG.PDF
SHA-256: BC6D908229CA23F0FA78690BF5CD498F67A6FDB5CD368A4F89BABC98427A93CB
-----------------------------------------------------------------------
4. PATH: E:\New Text Document (7).txt
SHA-256: BDED243D2EEDEEF19D62D88A361A7019A007363BBBF429A873320015B865A456
-----------------------------------------------------------------------
5. PATH: E:\sgbox.txt
SHA-256: CA3ED41768F78C7E61BC782716010A208DE09464BDEB283D27DABE57318EE3B8
-----------------------------------------------------------------------
6. PATH: E:\SanDiskSecureAccessV3.1_win.exe
SHA-256: 829F3BC240D26077AC00CE58B15D7D349E5D473B83629D3CC404A34BA865C9EC
-----------------------------------------------------------------------
7. PATH: E:\epm.exe
SHA-256: 3D878E578E7340443785D4DC6CEA0A5B415D3BB107AFB0282DFEBF776930B216
-----------------------------------------------------------------------
_______________________________________________________________________
Comments (6)
Nxlog.conf which I have used
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension syslog>
Module xm_syslog
</Extension>
<Extension multiline_parser>
Module xm_multiline
#HeaderLine "OPSWAT - METADEFENDER KIOSK SCAN RESULTS"
HeaderLine /.*OPSWAT.*/
</Extension>
<Input log_file>
Module im_file
# define the file path (es: below)
# to collect logs from different files you need to indicate the format of the files for example .txt as in the following example.
File 'c:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\Log\*-*-*-*-*.log'
InputType multiline_parser
Exec to_syslog_bsd();
</Input>
<Output log_file_out>
Module om_udp
# ip address/hostname of the SGBox
Host *************
# Port
Port 514
</Output>
<Route log_file>
Path log_file => log_file_out
</Route>
Nxlog is sending the file content as multiline to syslog, but it also sending some information which is not requried.
Example:
Not Required:
OPSWAT - METADEFENDER KIOSK SCAN RESULTS
PROCESSING FINISHED SUCCESSFULLY
_______________________________________________________________________
----------------------------------------------------------------------
Hi sunilj777,
We would suggest you using the following configuration...
The results after processing your example file...
sunilj777!
I forgot to remove the following, it was there only for debugging purposes...
Exec log_info($raw_event);
Hi sunilj777,
Has the suggested solution solved your issue?
Hello Team,
We are looking for few modifications in the result to drop SHA-256 Vaule, the result should only display the file names and ignore SHA-256 value
Other requirement on the below lines, we are looking if the "Blocked Files result shows "No blocked files found" we want to replace or modify it as Blacklisted: 0 (Only for matching string-No blocked files found) and if the result shows Blocked Files Blacklisted: 4 (example 4) nxlog should ignore it.
Blocked Files
No blocked files found - It should be replaced with Blacklisted an number 0
Out come in Syslog
Blocked Files
Blacklisted: 0
Other Scenario, Ignore if the log file has "No blocked files found" (No changes- send as it to syslog)
Regards
Sunil