6
responses

Hello,

I'm trying configure NXlog CE (installed on windows server 2012r2) to collect syslog (from cisco asa), saving it to file and send to Azure Log Analytics (aka Microsoft OMS). In first step I try to collect syslog, convert to json and saving it to file. It's work well. For the next i installed last Pyton (3.8) and check that all libs installed. After that I changed the nxlog.conf according to the manual (https://nxlog.co/documentation/nxlog-user-guide/azure-oms.html#forwarding-data-to-log-analytics). Buy NXlog gives me the following error: ERROR apr_file_write failed in om_exec; The pipe is being closed.

How can I fix this error?

My nxlog.conf:

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
define JSONLOGFILE C:\Program Files (x86)\nxlog\data\json.txt
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

<Extension json>
    Module  xm_json
</Extension>

<Input udp>
    Module  im_udp
    Port    514
    Host    192.168.1.2
    Exec    parse_syslog(); to_json();
</Input>

<Output file>
    Module  om_file
    File    '%JSONLOGFILE%'
</Output>

<Output azure_oms>
    Module      om_exec
    Command "C:\\Users\\user\\AppData\\Local\\Programs\\Python\\Launcher\\py.exe"
    Arg  "C:\Program Files (x86)\nxlog\oms-pipe.py"
</Output>

<Route udp_to_file_and_oms>
    Path    udp => file, azure_oms
</Route>

My configuration is different from the example in manual in the "Output azure_oms" part. If use this part as in the manual an error appears:

<Output azure_oms>
    Module      om_exec
    Command     oms-pipe.py
    Exec        to_json();
</Output>

Error:

ERROR couldn't execute process oms-pipe.py; The system cannot find the file specified.

Please help me fix this error.

AskedApril 26, 2020 - 3:17am

Answer (1)

Hi,

im_python uses python2. Please try installing python2.

-MisaZ

Comments (5)

  • Anton.I's picture

    Hello MisaZ.

    Thank you for answer.

    Unfortunately, I can’t use im_python (or om_python) because it is missing in the Community Edition. :(

    I installed python2, but it's don't give any profit.

    May be compile .py to .exe ?

    Is it really impossible to send events to the Log analytics?

  • Anton.I's picture

    Hi Manuel,

    I have 2 reasons.
    1. Because I am not a python or perl programmer and unfortunately I can not rewrite the script from Python to Perl. :-(
    2. The perl module (xm_perl) is also absent in the Community Edition.

    There are only modules in the Community Edition:
    om_blocker
    om_exec
    om_file
    om_http
    om_null
    om_ssl
    om_tcp
    om_udp

    xm_charconv
    xm_csv
    xm_exec
    xm_fileop
    xm_gelf
    xm_json
    xm_kvp
    xm_multiline
    xm_syslog
    xm_xml

    Maybe somehow you can run the python script? For example, like this:
    exec_async("C:\\Python27\\python.exe", "C:\\nxlog\\oms-pipe.py");

    Is there really no way out?

  • Anton.I's picture

    I do it :) Its work!

    I compiled python script and exec ".exe" in config.

    <Output azure_oms>
        Module      om_exec
        Command "C:\\Program Files (x86\\nxlog\\oms-pipe.exe"
    </Output>
    

    Thx for help!