responses
Hi
I read the help but still don't understand how to send this log that would like to call impaxauditlog from a windowsbox text file (that is overwritten) to my syslog server. Below are some examples from the log and my current nxlog config setting.
Basically the entries take two lines one starts with !SYS and the other with <IHEYr4>. So based on the example the "!SYS 2015-02-23 11:51:49,478" is the time the event was logged and "<TimeStamp>2015-02-23T10:08:59+02:00</TimeStamp>" is the real event datetime that I would like use as syslog message datetime (you can ask AGFA for why the difference:) if this is not possible then of course I can settle with the 2015-02-23 11:51:49,478.
In essence the message itself should be everything that is between <IHEYr4></IHEYr4> tags BUT there is one big but - I need to parse the message a little and cut out everything that is between fist <CUID> and last </CUID> as there can be thousands of these and this is just wasting my diskspace. So the syslog message should look somethng like this:
2015-02-23T10:08:59+02:00 windowsbox impaxauditlog <IHEYr4><DicomQuery><CUID></CUID><SyntaxUID>LittleIndianImplicit</SyntaxUID></DicomQuery><Host>xx.xx.xx.xx</Host><TimeStamp>2015-02-23T10:08:59+02:00</TimeStamp></IHEYr4>
Example:
!SYS 2015-02-23 11:51:49,478 - veebr 23 10:08:59 172.16.10.33 <?xml version="1.0" encoding="UTF-8" ?>
<IHEYr4><DicomQuery><CUID>1.3.12.2.1107.5.1.4.65588.30000015021704415668700013901</CUID><CUID>1.3.12.2.1107.5.1.4.65588.30000015021706453421800094763</CUID><SyntaxUID>LittleIndianImplicit</SyntaxUID></DicomQuery><Host>xx.xx.xx.xx</Host><TimeStamp>2015-02-23T10:08:59+02:00</TimeStamp></IHEYr4>
Main part of my current config:
<Input in>
Module im_msvistalog
</Input>
<Extension syslog>
Module xm_syslog
</Extension>
<Output sslout>
Module om_ssl
Host xx.xx.xx.xx
Port 10514
Exec to_syslog_ietf();
CAFile %CERTDIR%/ca.cert.pem
CertFile %CERTDIR%/cert.pem
CertKeyFile %CERTDIR%/key.pem
AllowUntrusted TRUE
OutputType Syslog_TLS
</Output>
<Route 1>
Path in => sslout
</Route>
Comments (6)
So should this work or am I missing something?
<Input in>
Module im_msvistalog
</Input>
<Extension syslog>
Module xm_syslog
</Extension>
<Output sslout>
Module om_ssl
Host xx.xx.x.xx
Port 10514
Exec to_syslog_ietf();
CAFile %CERTDIR%/ca.cert.pem
CertFile %CERTDIR%/cert.pem
CertKeyFile %CERTDIR%/key.pem
AllowUntrusted TRUE
OutputType Syslog_TLS
</Output>
<Extension multiline>
Module xm_multiline
HeaderLine /^!SYS/
EndLine /^</IHEYr4>/
</Extension>
<Input filein>
Module im_file
File "C:\Program Files (x86)\Agfa\Sec\Audit\log\\*.log"
SavePos FALSE
ReadFromLast FALSE
InputType multiline
Exec if $raw_event !~ /^!SYS/ drop();
Exec if $raw_event =~ /\<TimeStamp\>(.+)\<\/TimeStamp\>/ $EventTime = parsedate($1);
</Input>
<Route 1>
Path in => sslout
</Route>
<Route 2>
Path filein => sslout
</Route>
okei, I got something working here but I still need to cut out all that is between first <CUID> and last </CUID> as I'm constantly getting the
ERROR Syslog_TLS output is over the limit of 65000, will be truncated
Is this possible?
You either have very large messages or the xm_multiline HeaderLine/EndLine does not match properly and multiple messages get concatenated and reaching the limit.
Hi,
I am trying to cut the first field from syslog_bsd parsed output, wondering how i can do that, please see below
<77>Jul 29 01:01:01 rhel66 run-parts(/etc/cron.hourly)[13751]: starting mcelog.cron
<77>Jul 29 01:01:01 rhel66 run-parts(/etc/cron.hourly)[13781]: finished mcelog.cron
need to cut <77> from the log
Thanks,
Aparna
Please don't hijack other people's questions, you should create a new question if it is unrelated to the topic.
Thanks for your quick reply....
its working now....
Thanks.