delete is not deleting fields from log

Tags:

#1 kmarek973 2 years ago

Hello everyone!

I would like to Delete EventTime Field from BIND log and not send it to remote SIEM Server

Here is a log example:

11-mai-2021 00:27:48.084 queries: info: client @0x7f82bc11d4e0 10.80.0.1#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88)

Unfortunately, it seems that i'm doing something wrong because "11-mai-2021 00:27:48.084" still persist in log

Here is my config:

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Input in1> Module im_file File 'C:\NXLOGTEST\fileTEST.log'

&lt;Exec&gt;
    # 2. Parse BIND 9 metadata
    if $Message =~ /(?x)^(?&lt;EventTime&gt;\S+\s\S+)\s(?&lt;Category&gt;\S+):\s
                         (?&lt;BINDSeverity&gt;[^:]+):\s(?&lt;Message&gt;.+)$/i
    {

I TRIED ALSO LIKE THIS

delete($EventTime);

        # 3. Parse messages from the queries category
        if $Category == &quot;queries&quot;
        {
            $Message =~ /(?x)^client\s((?&lt;ClientID&gt;\S+)\s)?(?&lt;Client&gt;\S+)\s
                             \((?&lt;OriginalQuery&gt;\S+)\):\squery:\s
                             (?&lt;QueryName&gt;\S+)\s(?&lt;QueryClass&gt;\S+)\s
                             (?&lt;QueryType&gt;\S+)\s(?&lt;QueryFlags&gt;\S+)\s
                             \((?&lt;LocalAddress&gt;\S+)\)$/;
        }

        
    }
&lt;/Exec&gt;

#NOW I HAVE IT CONFIGURED LIKE THIS

Exec	delete($EventTime);

</Input>

<Output out1> Module om_udp Host 192.168.0.227 Port 514 </Output>

nxlog.log shows no errors, only this line after starting:

2021-05-11 19:57:20 INFO nxlog-ce-2.10.2150 started

Can anyone help me investigate?

Permalink

#2 rafDeactivated Nxlog ✓ 2 years ago

#1 kmarek973

Hello everyone! I would like to Delete EventTime Field from BIND log and not send it to remote SIEM Server Here is a log example: 11-mai-2021 00:27:48.084 queries: info: client @0x7f82bc11d4e0 10.80.0.1#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88) Unfortunately, it seems that i'm doing something wrong because "11-mai-2021 00:27:48.084" still persist in log Here is my config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Input in1> Module im_file File 'C:\NXLOGTEST\fileTEST.log' <Exec> # 2. Parse BIND 9 metadata if $Message =~ /(?x)^(?<EventTime>\S+\s\S+)\s(?<Category>\S+):\s (?<BINDSeverity>[^:]+):\s(?<Message>.+)$/i { I TRIED ALSO LIKE THIS delete($EventTime); # 3. Parse messages from the queries category if $Category == "queries" { $Message =~ /(?x)^client\s((?<ClientID>\S+)\s)?(?<Client>\S+)\s $(?<OriginalQuery>\S+)$:\squery:\s (?<QueryName>\S+)\s(?<QueryClass>\S+)\s (?<QueryType>\S+)\s(?<QueryFlags>\S+)\s $(?<LocalAddress>\S+)$$/; } } </Exec> #NOW I HAVE IT CONFIGURED LIKE THIS Exec delete($EventTime); </Input> <Output out1> Module om_udp Host 192.168.0.227 Port 514 </Output> <Route r1> Path in1 => out1 </Route> nxlog.log shows no errors, only this line after starting: 2021-05-11 19:57:20 INFO nxlog-ce-2.10.2150 started Can anyone help me investigate?

Hi,

Your log line: 11-mai-2021 00:27:48.084 queries: info: client @0x7f82bc11d4e0 10.80.0.1#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88) comes from BIND, and it's not parsed, hence, the $EventTime variable has nothing to do with input data - that is what happens in uncommented section.

Your first regex is fine, but please refer to NXLog Community Edition Reference Manual Expression Sections to explore the variables assignment - your time data will be stored in variable $1, and so on. You can construct your custom log line or create custom name fields.

Hope this helps.
Rafal