I'm getting in syslog info from network devices. It looks like this:

id=scsonicwall sn=18B169F5XXXX time="2020-08-24 19:32:49" fw= pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=00:01:5c:71:c6:46 src= srcZone=Untrusted natSrc= dstMac=00:50:56:80:66:a6 dst= dstZone=Trusted natDst=X.x.x.x:443 proto=tcp/https sent=920 rcvd=3262 spkt=10 rpkt=6 cdur=666 rule="14 (WAN->LAN)" app=11 n=2617279 fw_action="NA" dpi=0

When NXLog is relaying this out to Loggly, it's boogering up the timestamps:

<134>1 2020-12-31T19:00:00.000000-05:00 - - - \[XXXXXX@41058 tag="windows"\] {"MessageSourceAddress":"","EventReceivedTime":"2020-08-24 20:05:06","SourceModuleName":"udp","SourceModuleType":"im_udp","SyslogFacilityValue":16,"SyslogFacility":"LOCAL0","SyslogSeverityValue":6,"SyslogSeverity":"INFO","SeverityValue":2,"Severity":"INFO","Hostname":"","EventTime":"2020-12-31 19:00:00","Message":"id=scsonicwall sn=18B169F52958 time=\"2020-08-24 20:05:06\" fw=X.X.X.X pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src= natSrc= dst= natDst=X.X.X.X:443 proto=tcp/https sent=52 app=11 n=131486 fw_action=\"NA\" dpi=0"}

Note the the "time" field internal to the message is correct, but the EventTime and the timestamp at the beginning of the message are completely wrong.

My config is below. What do I need to do to fix this?

## This is a sample NXLog configuration file created by Loggly. June 2013
## See the nxlog reference manual about the configuration options.
## It should be installed locally and is also available
## online at https://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\\Program Files\\nxlog
#define ROOT_STRING C:\\Program Files\\nxlog
define ROOT C:\\Program Files (x86)\\nxlog
define ROOT_STRING C:\\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert

Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log

# Include fileop while debugging, also enable in the output module below
<Extension fileop>
Module xm_fileop

<Extension json>
Module xm_json

<Extension syslog>
Module xm_syslog

<Input internal>
Module im_internal
Exec $Message = to_json();

# Windows Event Log
#<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
#Module im_msvistalog

#Uncomment im_mseventlog for Windows XP/2000/2003
#Module im_mseventlog
#Exec $Message = to_json();

<Processor buffer>
Module pm_buffer
# 100Mb disk buffer
MaxSize 102400
Type disk

<Input udp>
Module im_udp
Port 514
Exec parse_syslog_ietf();
Exec $Message = to_json();


<Output out>
Module om_tcp
Host logs-01.loggly.com
Port 514

Exec to_syslog_ietf(); $raw_event =~ s/\[NXLOG.*?\]/\[XXXXXXXXXXXX@41058 tag="windows"\]/g;

<Route 1>
Path udp, internal => buffer => out

AskedAugust 25, 2020 - 3:56am

Answers (0)