2
responses
responses
wbollock
Hi all,
How do I divide my NxLog configuration file into conditionals based on queries? I have an nxlog.conf that doesn't apply equally to all hosts, and NxLog fails if it has to query something that doesn't exist on a Windows server.
I'd like to keep 1 nxlog.conf for all servers instead of having to maintain many confs for a variety of servers.
In psuedocode:
if [ exists Microsoft-Windows-TerminalServices ]
then
<query id="3">
<Select Path="Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational">*</Select>
</query>
However I'm having a hard time translating a lot of the "if statements" I see to NxLog query formats.. anyone have any resources or tips to guide me?
Here's what I tried, obviously wrong, \<Exec> cannot be in \<QueryList>
<Exec>
if ($Channel == 'Microsoft-Windows-TerminalServices-SessionBroker/Operational')
<Query id="3">
<Select Path="Microsoft-Windows-TerminalServices-SessionBroker/Operational">*</Select>
</Query>
</Exec>
Also tried:
<Exec>
if ($Channel == 'Microsoft-Windows-TerminalServices-SessionBroker/Operational') \
<QueryXML> \
<QueryList> \
<Query id="3"> \
<Select Path="Microsoft-Windows-TerminalServices-SessionBroker/Operational">*</Select> \
</Query> \
</QueryList> \
</QueryXML>
</Exec>
</Input>
Thanks for your help.
Comments (1)
So there's not a workaround for this in the Community edition? It would seem silly for my org to buy the Enterprise edition for one parameter, but I do understand the work that goes into this software.
EDIT:
I believe I found the solution, well a workaround.
Multiple inputs, nxlog/im_msvistalog won't fail completely if one input does. Example:
Thus, when in2 fails, the whole thing doesn't collapse. Ideally, the TolerateQueryErrors parameter would be ported to Community edition instead. And maybe ResolveSID, that would be nice too!