NXlog filtering and forwarding to separate collectors

#1 DS_534595 4 years ago

Hi,

in my design, I use NXlog Community Edition servers as proxy collectors in network security zones; all production servers forward their logs to their closest NXlog proxy collector node, which in turn forwards to a SIEM server Output target. My question is: On a such collector node, can I parse the incoming data and if coming from a certain production server Input module instance, e.g. <Input myInput1>, forward only this data to a secondary Output target? The challenge lies in the fact that currently I've only got one collector node per security zone. The individual production server can only forward to the collector in the same zone, otherwise I would have created a separate Output instance and a Route for the particular Input instance to the secondary server.

Permalink

#2 rafDeactivated Nxlog ✓ 4 years ago

#1 DS_534595

Hi, in my design, I use NXlog Community Edition servers as proxy collectors in network security zones; all production servers forward their logs to their closest NXlog proxy collector node, which in turn forwards to a SIEM server Output target. My question is: On a such collector node, can I parse the incoming data and if coming from a certain production server Input module instance, e.g. <Input myInput1>, forward only this data to a secondary Output target? The challenge lies in the fact that currently I've only got one collector node per security zone. The individual production server can only forward to the collector in the same zone, otherwise I would have created a separate Output instance and a Route for the particular Input instance to the secondary server.

Hello,

Checking the pm_filter module could be a good start for you - take a look here:

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#pm_filter

More powerful filters are available in the Enterprise Edition, the docs can be found here:

https://nxlog.co/documentation/nxlog-user-guide/filtering.html

Best regards,

Rafal