Request trial
Request Trial

NXLogs and WIndows Firewall Log FIle

Tags:
#1 NX_RAF

Hi. I am relatively new to nxlog and I hope the community can help me with my question. I have on a Windows Server an Windows Firewall Log File and following nxlog configuration:

<Input in> Module im_file File "C:\Windows\system32\LogFiles\Firewall\pfirewall.log" SavePos TRUE ReadFromLast TRUE parse_syslog_ietf(); </Input>

<Output out> Module om_tcp Host 3.125.146.97:514 #Exec to_syslog_ietf(); </Output>

<Route 1> Path in => out </Route>

So far so good. The logs I receive are now as following:

<13>1 2022-07-08T13:44:08+00:00 ec2-3-66-101-32 1 - - - 2022-07-08T15:44:17.208477+02:00 WINFS02 - - - [NXLOG@14506 EventReceivedTime="2022-07-08 15:44:17" SourceModuleName="in" SourceModuleType="im_file"] 2022-07-08 15:44:18 ALLOW TCP X.X.X.X Y.Y.Y.Y 43031 Z 0 - 0 0 0 - - - RECEIVE

Can I shorten the message, that I receive just the end of the message?

2022-07-08 15:44:18 ALLOW TCP X.X.X.X Y.Y.Y.Y 43031 Z 0 - 0 0 0 - - - RECEIVE

Permalink
#2 scott.f.kisely@gmail.com
#1 NX_RAF
Hi. I am relatively new to nxlog and I hope the community can help me with my question. I have on a Windows Server an Windows Firewall Log File and following nxlog configuration: <Input in> Module im_file File "C:\Windows\system32\LogFiles\Firewall\pfirewall.log" SavePos TRUE ReadFromLast TRUE parse_syslog_ietf(); </Input> <Output out> Module om_tcp Host 3.125.146.97:514 #Exec to_syslog_ietf(); </Output> <Route 1> Path in => out </Route> So far so good. The logs I receive are now as following: <13>1 2022-07-08T13:44:08+00:00 ec2-3-66-101-32 1 - - - 2022-07-08T15:44:17.208477+02:00 WINFS02 - - - [NXLOG@14506 EventReceivedTime="2022-07-08 15:44:17" SourceModuleName="in" SourceModuleType="im_file"] 2022-07-08 15:44:18 ALLOW TCP X.X.X.X Y.Y.Y.Y 43031 Z 0 - 0 0 0 - - - RECEIVE Can I shorten the message, that I receive just the end of the message? 2022-07-08 15:44:18 ALLOW TCP X.X.X.X Y.Y.Y.Y 43031 Z 0 - 0 0 0 - - - RECEIVE

First, it sounds like you just want the log back in RAW format. If so, then remove the statement ‘parse_syslog_ietf()’

Per NXLog’s documentation, the ietf adds the following items in parsing. *PRI: Message Priority *VERSION: Syslog format version *TIMESTAMP: YYYY-MM-DDTHH:MM:SS.000000Z (or specified time zone) *HOSTNAME *APP-NAME: Device or Application that generated the message *PROCID: Process ID *MSGID: Message type

From the examples in the documentation and my own experience, the RAW log is then attached to the end of the parsed information. – So, by not running the parser, you should be back where you wanted to be.

I am referencing: https://docs.nxlog.co/userguide/integrate/syslog.html

I hope I didn't misunderstand your question.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS