2
responses

I'm currently using nxlog to filter and forward syslog: Source => Filter Logs on intermediate server with nxlog installed => forward udp 514 (syslog).

Config looks like the following:

<Extension _syslog>
    Module      xm_syslog
</Extension>
#syslog to Nxlog01
<Input _sys_in>
    Module      im_udp
    Port        514
    <Exec>
        if (($Message =~ /REGEX/)
              or ($Message =~ /REGEX/))
                drop();
    </Exec>
    Exec if $MessageSourceAddress != "1.1.1.1" drop();
</Input>
<Processor _sys_norepeat>
    Module      pm_norepeat
    CheckFields Hostname, Message, SourceName
</Processor>
#Syslog Output to DST server
<Output _sys_out>
    Module      om_udp
    Host        dstserver_ip
    Port        514
    Exec        to_syslog_bsd();
</Output>
<Route Logs>
    Path        _sys_in => _sys_norepeat => _sys_out
</Route>

Firstly is this possible with the CE agent?

I already performed a tcpdump on the intermediate server where nxlog is installed and i can see the syslog being received but not sent after filtered. There is udp 514 connectivity between nxlog server and destination server.

I tried:

  • Removing all regex filtering (since i thought my regex wasn't good enough), no results.

  • Changed im_udp to im_tcp (i thought maybe you can't used the same port in both input and output modules).

  • Checked whether there actually is network connectivity between nxlog server and destination server using nc by sending a udp 514 packet to dst server.

Can anyone help with this?

AskedJune 23, 2020 - 4:45pm

Answer (1)

It seems you are missing a parse_syslog(); call...

    <Exec>
        HERE!!!
        if (($Message =~ /REGEX/)

Comments (1)

  • jd01's picture

    thanks for the heads up, you put me on the right track.

    with parse_syslog(); wasn't working either so i specified the syslog format by using parse_syslog_bsd();

    and it finally worked !!