1
answer

Hello,
I am sending a message with hostname to my syslog server, my conf is as follows:

define ROOT C: \ Program Files (x86) \ nxlog

Moduledir% ROOT% \ modules
CacheDir% ROOT% \ data
Pidfile% ROOT% \ data \ nxlog.pid
SpoolDir% ROOT% \ data
LogFile% ROOT% \ data \ nxlog.log

<Extension _syslog>
Module xm_syslog
</Extension>

<Input in>
Module im_msvistalog

<Exec>
parse_syslog ();
$ Message = "hostnamexxx" + $ Message;
to_syslog_ietf ();
</Exec>

</Input>

<Output out>
Om_udp module
Host xx.xxx.xx
Port 514
Exec to_syslog_ietf ();
</Output>

<Route 1>
Path in => out
</Route>

My log is coming with the message correctly:

Feb 12 23:11:34 DESKTOP-XXXXX Microsoft-Windows-Eventlog [964] hostnamexxxxINFO 1102 The audit log was cleared. Subject: Security ID: # xxxxxxxx-1001 Account Name: Admin Domain Name: DESKTOP-XXXXX Logon ID: 0xD438A

However, the message "hostnamexxxx" is coming in the middle of the log, as you can see above. This is disturbing my parser, is there any way I can put this "hostnamexxxx" message last in my log? Example:

Feb 12 23:11:34 DESKTOP-XXXXX Microsoft-Windows-Eventlog [964] INFO 1102 The audit log was cleared. Subject: Security ID: # xxxxxxxx-1001 Account Name: Admin Domain Name: DESKTOP-XXXXX Logon ID: 0xD438A hostnamexxxx

Thanks

AskedJanuary 20, 2020 - 3:03pm

Answer (1)