2
responses

Hi,

I'm trying to send a raw event in our specific logfile to another server via tcp using NXlog CE. The receiving end requires snare or bsd format. I already used the to_syslog_snare() and to_syslog_bsd() in the om_tcp module but it didn't work. I also tried to parse input module by adding empty condition to check raw event but it didn't work too.

If I hardcode the raw event using exec then convert to snare or bsd in the output module, I'm receiving the hardcoded and formatted event in my server. Have I missed any configurations? Below is mysample config. Thanks a lot!

<Extension _syslog>
 Module      xm_syslog
</Extension>

<Input in>
 Module    im_file
 File      "C:/test.txt"
 ReadFromLast TRUE
 SavePos  TRUE

 # if empty line then do not send
 if $raw_event !~ /^.*$/
 {
  drop();
 }
 else
 {
  $raw_event = to_syslog_bsd();
  }

</Input>

<Output out>
 Module om_tcp
 Host   myserver
 Port   8888

 # to_syslog_snare(); # not receiving raw event in myserver
 # to_syslog_bsd(); # not receiving raw event in myserver
 # Exec $raw_event = "Hello there!"; to_syslog_bsd(); # this works; hardcoded one and formatted to syslog_bsd
</Output>

<Route testroute>
 Path    in => out
</Route>

C:/test.txt

Hello
This is a test!
3rd line
Bye
AskedFebruary 3, 2021 - 3:13am

Answer (1)

Hello,

I would use something like this...

<Extension _syslog>
  Module      xm_syslog
</Extension>

<Input in>
  Module       im_file
  File         'C:\test.txt'
  ReadFromLast TRUE
  SavePos      TRUE
  <Exec>
    if ($raw_event == "") { drop(); }
  </Exec>
</Input>

<Output out>
  Module  om_tcp
  Host    myserver
  Port    8888
  Exec    to_syslog_bsd(); 
</Output>

Comments (1)