5
responses

I am trying to run a script every time an error is found in logs

<Extension _exec>
    Module  xm_exec
</Extension>

<Input in>
    Module  im_file
    File    "/home/rafal/gitprojects/mst-sender/hub.cloudradar-error.log"
        <Exec>
        if $raw_event =~ /(\S+)\ (.+) \[ERROR (.+)/
        {
                exec_async("/bin/sh", "/home/rafal/gitprojects/mst-sender/run.sh");
        }

        </Exec>
</Input>

From the documentation it looks like it should exec async if regex matches but I am seeing only the following log WARNING not starting unused module in and the script is not executed. I don't need to output it, only run that script.

I added a route but this aint helping too

<Output out1>
    Module  om_null
</Output>

<Route 1>
    # Basic route
    Path    in => out1
</Route>

I created another config file as follows just to log a warning but again its not getting executed

define ACTION { log_warning("dropping message"); drop(); }

<Extension _exec>
    Module  xm_exec
</Extension>

<Input in>
    Module  im_file
    File    'D:\mst-sender\hub.cloudradar-error.log'
    Exec    if $raw_event =~ /ERROR/ %ACTION%
</Input>

<Output out1>
    Module  om_null
</Output>

<Route 1>
    # Basic route
    Path    in => out1
</Route>

and here is my config file

04/Apr/2020:20:55:33 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96
04/Apr/2020:20:55:33 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96

UPDATE

I found the problem. It's a silly mistake of mine You need to make changes in the log file to see the log lines being parsed.

AskedMay 5, 2020 - 1:06pm

Answer (1)

Hi,

In this config:

define ACTION { log_warning("dropping message"); drop(); }

<Extension _exec>
    Module  xm_exec
</Extension>

<Input in>
    Module  im_file
    File    'D:\mst-sender\hub.cloudradar-error.log'
    Exec    if $raw_event =~ /ERROR/ %ACTION%
</Input>

<Output out1>
    Module  om_null
</Output>

<Route 1>
    # Basic route
    Path    in => out1
</Route>

You are missing the ; in this line: Exec if $raw_event =~ /ERROR/ %ACTION%

Also, for test purposes, you can set it to log errors to a file using om_file, that way you can confirm that your regex is working and picking up events.

I hope this is good enough to get you going.

~MisaZ

Comments (4)

  • Rafalf's picture

    Thanks for pointing that out, I'll fix that
    I believe I have tried outputting today to a file, cant recall if it was om_file tho
    by any chance would you be able to drop here any code fro logging errors?

  • Misaziv's picture
    (NXLog)

    You can also define add log_info($raw_event) into this line ACTION { log_warning("dropping message"); drop(); } , like this: ACTION { log_warning("dropping message"); drop(); log_info($raw_event); }

    This way you can see in the nxlog.log if its regex is catching it up.

    Also you can use regex101 to test your regex.

    ~MisaZ

  • Rafalf's picture

    Thanks I'll have a look tomorrow , when I had it as follows I did not see aything in the logs

    { log_warning("dropping message"); drop(); }
    

    That's the main problem that I am facing, I have no idea how to debug code in nxlog. I see realy nothing in the logs and dont even know if its picking up lines

  • Rafalf's picture

    MisaZ - I've tried

    (1)

    <Extension _exec>
        Module  xm_exec
    </Extension>
    
    <Input in>
        Module  im_file
        File    'D:\mst-sender\hub.cloudradar-error.log'
        Exec    if $raw_event =~ /.+ERROR.+/ %ACTION%;
    </Input>
    
    <Output out1>
        Module  om_null
    </Output>
    
    <Route 1>
        # Basic route
        Path    in => out1
    </Route>
    

    (2) Regex - .+ so should match anything

    define ACTION { log_info($raw_event); drop(); }
    
    <Extension _exec>
        Module  xm_exec
    </Extension>
    
    <Input in>
        Module  im_file
        File    'D:\mst-sender\hub.cloudradar-error.log'
        Exec    if $raw_event =~ /.+/ %ACTION%;
    </Input>
    
    <Output out1>
        Module  om_null
    </Output>
    
    <Route 1>
        # Basic route
        Path    in => out1
    </Route>
    

    (3) as you suggested

    define ACTION { log_warning("dropping message"); drop(); log_info($raw_event); }

    <Extension _exec>
        Module  xm_exec
    </Extension>
    
    <Input in>
        Module  im_file
        File    'D:\mst-sender\hub.cloudradar-error.log'
        Exec    if $raw_event =~ /.+ERROR.+/ %ACTION%;
    </Input>
    
    <Output out1>
        Module  om_null
    </Output>
    
    <Route 1>
        # Basic route
        Path    in => out1
    </Route>
    

    Here is the log I am trying to parse

    04/Apr/2020:20:55:35 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96
    04/Apr/2020:20:55:35 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96
    04/Apr/2020:20:55:35 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96
    04/Apr/2020:20:55:36 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96
    04/Apr/2020:20:55:36 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96
    04/Apr/2020:20:55:36 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96
    04/Apr/2020:20:55:36 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96
    04/Apr/2020:20:55:36 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice:  Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96
    

    Regex definitely is matching https://regex101.com/r/7pINtv/1

    I am using NXLog-CE 2.10.2150

    Any idea how I could DEBUG it further or make it to work ? I would ok with paying you for it if you were able to get it to work if required (paypal or something). I just need to get this sorted and running out of ideas