Log Server Fragmented Events

[bricehutch]

Hi everyone. Already an XI customer, testing out Log Server to see if it works for our needs so we can move away from our current product when it expires.

I got the server up and running with only a few road blocks, and I'm now testing with just one DC sending logs, But I have this problem and I don't know if this is just how it works, or if I have something incorrectly config'd.

When a event from the DC gets sent, it gets sent in pieces. It's like each line of the XML in the Windows event log is parsed as it's own event in Nagios Log server. Like if you look at the screen shot there are events that are blank...just spacers where they would usually appear in the event viewer snap in.


Below is my Nxlog.conf, and attached is a screen shot of what I see. Any help?


-Thanks, B.


define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>

<Output out-tcp-3515>
Module om_tcp
Host [ip of log server]
Port 3515
</Output>

<Route 1>
Path eventlog => out-tcp-3515
</Route>

[cdienger]

Hey B.,

I was able to reproduce the issue with you're config. I haven't tested out exactly what the problem is but my guess would be it has to do something with not loacing the xm_json module and not using the to_json() function. That said, is there a reason you're not using the recommended config of:

## See the nxlog reference manual at
## http://nxlog.org/nxlog-docs/en/nxlog-re ... anual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog

# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>

<Output out>
Module om_tcp
Host <NLS_IP>
Port 3515

Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();

# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

<Route 1>
Path internal, file1, eventlog => out
</Route>

?

[bricehutch]

Wow, that was easy. Used that config and just added my own <QueryList> inside the Imput tags that were there and it's working perfectly. Thanks!

Resolved, can consider closed.

[tmcdonald]

I'll be closing this thread now, but feel free to open another if you need anything in the future!