3
responses

Hi All,

Needed help with parsing/modify. Would greatly appreciate some direction. At the moment, I am parsing a plain-test log-file and sending to a remote server:

Jun 19 16:29:28 server12345 [...] 
Jun 19 16:29:28 server12345 --- 
Jun 19 16:29:27 server12345 [program.state :3371]

The above is what I get with parsing. I was hoping to make every line transform like this

Jun 19 16:29:28 server12345 **programName1** [...] 
Jun 19 16:29:28 server12345 **programName1** --- 
Jun 19 16:29:27 server12345 **programName1** [program.state :3371]

Can someone help me understand, how I can get programName1 appended to each file, after the server hostname?

Also, is it possible to parse the server-name, and replace it as follows:

Jun 19 16:29:28 **server12345--NA** programName1 [...] 
Jun 19 16:29:28 **server12345--NA** programName1 --- 
Jun 19 16:29:27 **server12345--NA** programName1 [program.state :3371]

Would appreciate some guidance on how to change this via config. I currently, am reading in a textfile via the om_file method.

Update: Relevant snippets of config:

<Input log_file>
    Module      im_file
    File        'C:\program\var\log\file.log'
    #InputType   multiline_parser
    Exec    parse_syslog();
</Input>

<Processor norepeat>
    Module      pm_norepeat
    CheckFields Hostname, Message, SourceName
    OutputFormat syslog_rfc3164
</Processor>


<Route log_output>
  Path log_file   => norepeat => log_output
</Route>

<Output log_output>
  Module om_udp
  Host x.x.x.x
  Port 514
</Output>
AskedJune 22, 2020 - 10:07pm

Answer (1)

Please paste your current config.

Comments (2)

  • NXLog_user12345's picture

    Thanks Manuel. Here are the relevant snippets of my config:

    <Input log_file>
        Module      im_file
        File        'C:\program\var\log\file.log'
        #InputType   multiline_parser
        Exec    parse_syslog();
    </Input>
    
    <Processor norepeat>
        Module      pm_norepeat
        CheckFields Hostname, Message, SourceName
        OutputFormat syslog_rfc3164
    </Processor>
    
    
    <Route log_output>
      Path log_file   => norepeat => log_output
    </Route>
    
    <Output log_output>
      Module om_udp
      Host x.x.x.x
      Port 514
    </Output>
    

  • manuel.munoz's picture
    (NXLog)

    Once called parse_syslog(), you need to use the newly populated fields to build your $raw_event.

    $SyslogFacility, $SyslogSeverity, $EventTime, $Hostname, $SourceName, $ProcessID, $Message