response
Hello everyone!
I would like to Delete EventTime Field from BIND log and not send it to remote SIEM Server
Here is a log example:
11-mai-2021 00:27:48.084 queries: info: client @0x7f82bc11d4e0 10.80.0.1#53995 (google.com): query: google.com IN A +E(0) (10.80.1.88)
Unfortunately, it seems that i'm doing something wrong because "11-mai-2021 00:27:48.084" still persist in log
Here is my config:
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Input in1>
Module im_file
File 'C:\NXLOGTEST\fileTEST.log'
<Exec>
# 2. Parse BIND 9 metadata
if $Message =~ /(?x)^(?<EventTime>\S+\s\S+)\s(?<Category>\S+):\s
(?<BINDSeverity>[^:]+):\s(?<Message>.+)$/i
{
# I TRIED ALSO LIKE THIS
# delete($EventTime);
# 3. Parse messages from the queries category
if $Category == "queries"
{
$Message =~ /(?x)^client\s((?<ClientID>\S+)\s)?(?<Client>\S+)\s
\((?<OriginalQuery>\S+)\):\squery:\s
(?<QueryName>\S+)\s(?<QueryClass>\S+)\s
(?<QueryType>\S+)\s(?<QueryFlags>\S+)\s
\((?<LocalAddress>\S+)\)$/;
}
}
</Exec>
#NOW I HAVE IT CONFIGURED LIKE THIS
Exec delete($EventTime);
</Input>
<Output out1>
Module om_udp
Host 192.168.0.227
Port 514
</Output>
<Route r1>
Path in1 => out1
</Route>
nxlog.log shows no errors, only this line after starting:
2021-05-11 19:57:20 INFO nxlog-ce-2.10.2150 started
Can anyone help me investigate?