3
responses

Hi all,
i am using nxlog to convert log from cef to json, output the same : {"SourceModuleName":"udp","timestamp":"2020-07-30T10:23:53.433042+07:00","serverity":"Low","signature":"/Execute/Query","category":"/Success","action":"keyinst","direction":"0","host":"192.168.51.15"}
i want to add fields "vendor_id":"xxxx","unit_id":"00000","sensor_id":"xxxx" to before message and change the order of fields. After message the same: {"vendor_id":"xxxx","unit_id":"00000","sensor_id","timestamp":"2020-07-30T10:23:53.433042+07:00","action":"keyinst","direction":"0","host":"192.168.51.15""SourceModuleName":"udp","serverity":"Low","signature":"/Execute/Query","category":"/Success",}

Thanks!

AskedJuly 30, 2020 - 5:20am

Answer (1)

Hi!

Could you share your `nxlog.conf` file?

Regards,
Rafal

Comments (2)

  • hunglq's picture

    <Extension _cef>
    Module xm_cef
    </Extension>

    <Extension _json>
    Module xm_json
    </Extension>

    <Input udp>
    Module im_udp
    Host 192.168.48.135
    Port 514
    Exec $vendor_id = 'xxx';
    Exec $unit__id = '00000';
    Exec $sensor_id = zzzz';
    Exec parse_syslog(); parse_cef($Message);rewrite->process();
    </Input>

    <Extension rewrite>
    Module xm_rewrite
    Keep EventTime,\n categoryOutcome,\n categoryBehavior,\n act,\n dst, spt, src, dpt, CEFSeverity, deviceDirection, proto, agt, vendor_id, unit_id, sensor_id
    Rename EventTime, timestamp
    Rename categoryOutcome, category
    Rename categoryBehavior, signature
    Rename act, action
    Rename dst, dest_ip
    Rename dpt, dest_port
    Rename src, src_ip
    Rename spt, src_port
    Rename CEFSeverity, serverity
    Rename deviceDirection, direction
    Rename agt, host

    </Extension>

    <Output json_file>
    Module om_file
    File '/opt/nxlog/var/log/nxlog/log.json'
    Exec to_json();
    </Output>

    <Route r>
    Path udp => json_file
    </Route>