2
responses

Hi,

in my design, I use NXlog Community Edition servers as proxy collectors in network security zones; all production servers forward their logs to their closest NXlog proxy collector node, which in turn forwards to a SIEM server Output target.
My question is: On a such collector node, can I parse the incoming data and if coming from a certain production server Input module instance, e.g. <Input myInput1>, forward only this data to a secondary Output target?
The challenge lies in the fact that currently I've only got one collector node per security zone. The individual production server can only forward to the collector in the same zone, otherwise I would have created a separate Output instance and a Route for the particular Input instance to the secondary server.

AskedAugust 13, 2020 - 11:55pm

Answer (1)

Hello,

Checking the pm_filter module could be a good start for you - take a look here:

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#pm_filter

More powerful filters are available in the Enterprise Edition, the docs can be found here:

https://nxlog.co/documentation/nxlog-user-guide/filtering.html

Best regards,

Rafal

Comments (1)

  • DS_534595's picture

    That does not appear to me to be the answer - or maybe I don't get it. To recap my design and intention:

    # NXlog client on any given server in a security zone
    <Input myMessages>
        Module    im_file
        File           '/var/log/messages'
        # ...and I add a few additional parameters - all good, it works
    </Input>
    <Input myFirewall>
        Module    im_file
        File           '/var/log/firewalld'
        # ...and I add a few additional parameters - all good, it works
    </Input>
    
    <Output myOutput1>
        Module    om_tcp
        Host         192.168.1.200 
        #   This is the working zone collector - all good, it works
    </Output>
    
    <Route dest1>
        Path        myMessages,myFirewall => myOutput1
        # All good so far - it works
    </Route>
    

    Now to the NXlog proxy aka zone collector. How do I extract that particular Sourcename and route it out separately?

    # NXlog proxy aka zone collector in same security zone
    
    <Input myListener1>
        Module    im_tcp
        Host        0.0.0.0
        # All good - it works. but now comes my intention, paraphrased
        # How do I extract that particular Sourcename and route it out separately?
        Exec        if ($SourceName = myFirewall ) prepare  to ROUTE TO SECONDARY COLLECTOR;
    </Input>
    <Output myOutput2>
        Module    om_tcp
        Host         192.168.2.200
        #    This is the intended second collector - my problem
    </Output>
    
    # I can not point the Path to my example 'myFirewall'
    <Route dest2>
        Path        myFirewall => myOutput2
    </Route>
    

    A pointer in the right direction will be greatly appreciated :)