1
answer

I'n using nxlog to send logs from Windows Event Log to rsyslogd.

To identify my Windows hosts, i use local6 facility. So they are logged to a separate folder based on IP and facility: local6 messages are logged to /var/log/hosts/windows/SERVER_IP/remote.log, all other facilities (non-local6) are logged to /var/hosts/linux/SERVER_IP/remote.log

The thing is, i sometimes find new messages in /var/log/hosts/linux/WINSERVER_IP/remote.log, which are (mostly) a part of other windows Event Log messages. Looks like big messages from Event Log are split into fragments, the first one gets the local6 facility (via SyslogFacilityValue) and is logged to windows-log folder (correct behavior), the rest get another facility value (which is unknown for me) and are logged to linux-log folder (incorrect behavior).

My nxlog config (part of it):

<Extension syslog>

                Module xm_syslog

</Extension>

<Input in>

    Module      im_msvistalog

                Exec $SyslogFacilityValue = 22;

</Input>

 

<Processor eventlog_transformer>

                Module pm_transformer

                Exec $Hostname = hostname();

                OutputFormat syslog_rfc5424

</Processor>

 

<Output out>

    Module      om_tcp

    Host        10.7.1.20

    Port        514

                Exec $raw_event = replace($raw_event, "\r\n", " ");

                Exec $raw_event = replace($raw_event, "\t", " ");

</Output>

 

<Route 1>

    Path        in => eventlog_transformer => out

</Route>

Is there a way to strictly specify local6 facility to all outgoing syslog-type messages and their parts, if they get split?

 

AskedMarch 12, 2015 - 2:31pm

Answer (1)

Only newlines (i.e. \r\n or \n) can cause a message to be "split" into two or more when using tcp transport.

The rfc5424 (ietf) syslog format in nxlog replaces \r and \n with space. You are also doing the same with replace().

This sounds like an rsyslog issue.

AnsweredMarch 12, 2015 - 3:36pm

Comments (1)

  • antiBILLotic's picture

    Partially, yes.

    First of all, setting $MaxMessageSize 64k in rsyslogd.conf works ONLY if put before $ModLoad imtcp - otherwise it has no effect and messages get split.

    Second, while capruting packets from nxlog to rsyslogd i noticed that some of them were split by new-line characters. Now my replace group looks like this:

    Exec $raw_event = replace($raw_event, "\r\n", " ");
        Exec $raw_event = replace($raw_event, "\n", " ");
        Exec $raw_event = replace($raw_event, "\t", " ");
        Exec $raw_event = replace($raw_event, "#015", " ");
        Exec $raw_event = replace($raw_event, "#011", " ");

    This seems to fix the issue. I didn't get any suspicious log entries for several hours in a row; will continue to monitor this issue.

     

    March 17, 2015 - 12:04pm