Request trial
Request Trial

Sending Syslogs to 2 syslog collectors

Tags:
#1 mcerone

Hello,

I'm trying to send Windows events to two different syslog servers.

I have two output modules and one route. I see syslog packets getting sent to both collectors but the packets are not coming in the correct format

The configuration looks like

LogLevel INFO Logfile %LOGDIR%/nxlog.log

<Extension agent_managment> Module xm_soapadmin Connect 10.x.x.n Port 4041 SocketType SSL CAFile %CERTDIR%/agent-ca.pem AllowUntrusted FALSE RequireCert TRUE <ACL conf> Directory %CONFDIR% AllowRead TRUE AllowWrite TRUE </ACL> <ACL cert> Directory %CERTDIR% AllowRead TRUE AllowWrite TRUE </ACL> </Extension>

<Extension Extension_json> Module xm_json </Extension>

<Input eventlog> Module im_msvistalog SavePos TRUE ReadFromLast TRUE Exec if ($EventID == 5156) drop(); </Input>

<Input internal_mod> Module im_internal </Input>

<Output out> Module om_tcp Host 10.x.x.a Port 514 OutputType LineBased <Exec> $Hostname = string(host_ip()); to_syslog_ietf(); parse_syslog(); $Message = '@cee: ' + to_json(); to_syslog_bsd(); </Exec> </Output>

<Output outlcp> Module om_udp Host 10.x.x.b Port 514 OutputType Dgram Exec $Hostname = string(host_ip()); Exec to_syslog_snare();

</Output> <Route Syslog_lcp> Priority 1 Path eventlog, internal_mod => outlcp, out </Route>

Permalink
#2 KlevinDeactivated Nxlog ✓
#1 mcerone
Hello, I'm trying to send Windows events to two different syslog servers. I have two output modules and one route. I see syslog packets getting sent to both collectors but the packets are not coming in the correct format The configuration looks like LogLevel INFO Logfile %LOGDIR%/nxlog.log <Extension agent_managment> Module xm_soapadmin Connect 10.x.x.n Port 4041 SocketType SSL CAFile %CERTDIR%/agent-ca.pem AllowUntrusted FALSE RequireCert TRUE <ACL conf> Directory %CONFDIR% AllowRead TRUE AllowWrite TRUE </ACL> <ACL cert> Directory %CERTDIR% AllowRead TRUE AllowWrite TRUE </ACL> </Extension> <Extension Extension_json> Module xm_json </Extension> <Input eventlog> Module im_msvistalog SavePos TRUE ReadFromLast TRUE Exec if ($EventID == 5156) drop(); </Input> <Input internal_mod> Module im_internal </Input> <Output out> Module om_tcp Host 10.x.x.a Port 514 OutputType LineBased <Exec> $Hostname = string(host_ip()); to_syslog_ietf(); parse_syslog(); $Message = '@cee: ' + to_json(); to_syslog_bsd(); </Exec> </Output> <Output outlcp> Module om_udp Host 10.x.x.b Port 514 OutputType Dgram Exec $Hostname = string(host_ip()); Exec to_syslog_snare(); </Output> <Route Syslog_lcp> Priority 1 Path eventlog, internal_mod => outlcp, out </Route>

Hello Sir,

I see you are using different output format config on the output modules

to_syslog_ietf(); parse_syslog();
$Message = '@cee: ' + to_json(); to_syslog_bsd();

and

Exec to_syslog_snare();

May i suggest to check the format needed and convert accordingly ?

Sincerely Klevin
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS