2
responses

Hi all,

How do I divide my NxLog configuration file into conditionals based on queries? I have an nxlog.conf that doesn't apply equally to all hosts, and NxLog fails if it has to query something that doesn't exist on a Windows server.

I'd like to keep 1 nxlog.conf for all servers instead of having to maintain many confs for a variety of servers.

In psuedocode:

if [ exists Microsoft-Windows-TerminalServices ]
then
<query id="3">
<Select Path="Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational">*</Select>
</query>

However I'm having a hard time translating a lot of the "if statements" I see to NxLog query formats.. anyone have any resources or tips to guide me?

Here's what I tried, obviously wrong, \<Exec> cannot be in \<QueryList>

<Exec>
if ($Channel == 'Microsoft-Windows-TerminalServices-SessionBroker/Operational')
    <Query id="3">
    <Select Path="Microsoft-Windows-TerminalServices-SessionBroker/Operational">*</Select>
    </Query>
</Exec>

Also tried:

<Exec>
if ($Channel == 'Microsoft-Windows-TerminalServices-SessionBroker/Operational') \
    <QueryXML> \
            <QueryList> \
            <Query id="3"> \
                <Select Path="Microsoft-Windows-TerminalServices-SessionBroker/Operational">*</Select> \
            </Query> \
            </QueryList> \
        </QueryXML>
</Exec>
</Input>

Thanks for your help.

AskedApril 3, 2020 - 9:50pm

Answer (1)

There is a parameter than can help to achieve that, but it is only available in the Enterprise Edition:

TolerateQueryErrors This boolean directive specifies that im_msvistalog should ignore any invalid sources in the query. The default is FALSE: im_msvistalog will fail to start if any source is invalid

Comments (1)

  • wbollock's picture

    So there's not a workaround for this in the Community edition? It would seem silly for my org to buy the Enterprise edition for one parameter, but I do understand the work that goes into this software.

    EDIT:

    I believe I found the solution, well a workaround.

    Multiple inputs, nxlog/im_msvistalog won't fail completely if one input does. Example:

    <Input in>
    Module im_msvistalog
    
    <do stuff>
    
    </Input>
    
    <Input in2>
    Module im_msvistalog
    
    <do stuff that breaks nxlog normally, like channels that aren't found>
    
    </Input>
    
    <Route 1>
        Path in, in2 => out
    </Route>
    

    Thus, when in2 fails, the whole thing doesn't collapse. Ideally, the TolerateQueryErrors parameter would be ported to Community edition instead. And maybe ResolveSID, that would be nice too!