Cannot find the origin and configuration of certain fields

[SuryanuSanyal]

Hi team,

I was trying to collect logs from a file present in Windows server.

I found that certain fields like "port" were autogenerated and as per my best knowledge, I did not configure them. I wanted to know where it is being generated.

Also, while testing the filters, I once used "testlog" as the type field value in the Windows Event Log Input so that I would get logs with "type" field as "testlog". And then, I renamed the "type" field value from "testlog" to "evenlog", provided I verified, saved and applied it as global config.
I was expecting the field "type" to have value "eventlog" but still getting testlog. When none of my input and filter blocks make type as testlog, where is this value coming from

Please check with the following images for better understanding.

testlog.png

testlog2.png

Kindly provide your inputs on this.
Thanks in advance

[pbroste]

Hello @SuryanuSanyal

Thanks for reaching out, looks like you selected the option to retrieve the Windows Event Log from the Windows device Event messages.

When you select the option to retrieve logs from your Windows device utilizing the NXLOG CE client/agent which automatically uses port 3515. The other option to NXLOG (which by default uses port 3515) to send logs from a file to Nagios Log Server.

Appears that NXLOG is taking the file name that the Windows Event logs came from. You can rename the file and run the log file import.

Code: Select all

# Watch your own files
<Input windowsfile>
    Module   im_file
    File     'C:\path\to\target\testlog
    SavePos  TRUE
    Exec     $Message = $raw_event;
</Input>

Thanks,
Perry