1
response

I am looking at nxlog receiving various system logs via syslong on a single port using tcp/514. I would then like to have the message, based on the log type, parse and then send to a different destination. Is this possible using nxlog?

For example cisco devices will come in and would like to parse and then send those logs to one destination, lets say elk. Palo logs will come in on same tcp/514 listener but will need to be parsed and sent to a different destination, lets say splunk. They would be output as json and sent to the appropriate destination. I was thinking maybe looking at the raw event and having some type of logic based on a regex but that all happens in the same input module. Not seeing how it would direct the events to different outputs or routes.

AskedDecember 3, 2021 - 4:00am

Answer (1)

Hi,

You can use some filtering in the output modules for different log details. In example if you have IP address separation between the types of devices, your can use $MessageSourceAddress, and put both outputs in the same route.

<Output cisco>
Module om_tcp
Host <IP ADDRESS of the desitnation 1>
Port <PORT of the destination>
Exec if $MessageSourceAddress = "IP ADDRESS of cisco device" {} \
</Output>

<Output paloalto>
Module om_tcp
Host <IP ADDRESS of the desitnation 2>
Port <PORT of the destination>
Exec if $MessageSourceAddress = "IP ADDRESS of paloalto device" {} \
</Output>

Best regards,
Gábor