3
responses

Hello:

I have been working on setting up an intermediary SYSLOG Server to receive syslog events from various network devices as part of my Splunk deployment.
Please NOTE: This a WINDOWS 2019 Server environment.

I am a newbie to NXLog . I have been able to get a base configuration working to receive data on port 514. I can successfully write to a file but the only option that seems to work is to write to file using the source IP Address, but I want to write to a file using the source Hostname.

I am using the Community Edition and do not have access to use xm_resolver.

How can I receive syslog data and write that data to file using source HOSTNAME?

I have been researching and trying now for close to a month with no success. Any information / guidance would be greatly appreciated.

Thank you for your time.
Regards,
--Diane Proscino

AskedFebruary 19, 2020 - 9:45pm

Comments (3)

  • manuel.munoz's picture
    (NXLog)

    Diane,

    Maybe what you need is...

    string hostname()
    Return the hostname (short form).
    
    string hostname_fqdn()
    Return the FQDN hostname. This function will return the short form if the FQDN hostname cannot be determined.
    

    Can you please paste here the config you are using?

  • dproscino's picture

    Hi Manuel:

    Thanks for your reply.
    Where would I put this line "string hostname())" ?

    Here is the default configuration I am using. This configuration works and currently saves the data to file using the SourceIP Address. But, to change $MessageSourceIAddress to variable that would hold the Hostname .

    <Input udp>
    Module im_udp
    Host 0.0.0.0
    Port 514
    Exec parse_syslog_ietf();
    </Input>

    <Output out>
    Module om_file
    File "F:/nxlog/" + $MessageSourceAddress + "/" + $MessageSourceAddress + "-" + $Severity + ".log"
    CreateDir TRUE
    Exec if (out->file_size() > 100M ) file_cycle ("F:/nxlog/" + $MessageSourceAddress + "/" + $MessageSourceAddress + "-" + $Severity + ".log",5);
    Exec out->reopen();
    </Output>

    <Route 1>
    Path udp => out
    </Route>

  • Arkadiy's picture
    (NXLog)

    Hello Diane,

    In your case it would be like this:

    <Input udp>
    Module im_udp
    Host 0.0.0.0
    Port 514
    Exec $FQDN = hostname_fqdn();
    Exec parse_syslog_ietf();
    </Input>
    
    <Output out>
    Module om_file
    File "F:/nxlog/" + $FQDN + "/" + $FQDN + "-" + $Severity + ".log"
    CreateDir TRUE
    Exec if (out->file_size() > 100M ) file_cycle ("F:/nxlog/" + $FQDN + "/" + $FQDN + "-" + $Severity + ".log",5);
    Exec out->reopen();
    </Output>
    
    <Route 1>
    Path udp => out
    </Route>
    

    You can read more about it here: https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#core_funcs
    Please let us know is works for you.

    Best regards, Arch

Answers (0)