How send XML file into GrayLog with NXLog?


(Black Pearl) #1

Hi all,

I’m using GrayLog since 4 months and this is a verry useful tool! I use Nessus too (tool for vulnerability scan) and Nesus can generate reports in a .XML file.

This week I tried many NXLog configuration but nothing work. My goal was to export a nessus report (in XML format) into GrayLog with NXLog on Windows (or Linux maybe).

Do you know what is the good configuration to doing this? Do you have an example?

This is my actual (not working) configuration file nxlog.conf :

define ROOT C:\Program Files (x86)\nxlog

<Extension gelf>
  Module xm_gelf
</Extension>

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
 Module xm_syslog
</Extension>

<Extension xm_xml>
 Module xm_xml
</Extension>

<Input in>
Module im_file
File "C:\Program Files\Graylog\collector-sidecar\generated\myNessusReport.xml"
</Input>

<Output out>
    Module      om_udp
    Host        XX.XX.XX.XX
    Port        12201
	Exec to_syslog_bsd();
</Output>

<Route 1>
    Path        in => out
</Route>

What I’m missing in my configuration? :sweat_smile:

Thank for your help !

Adrien


(Black Pearl) #2

Ok, I finally succeeded (not with a Nessus file) but with a basic XML file.

Here is my configuration nxlog.conf

define ROOT C:\Program Files (x86)\nxlog

<Extension gelf>
  Module xm_gelf
</Extension>

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension multiline>
    Module	xm_multiline
    HeaderLine	/^<event>/
    EndLine	/^</event>/
</Extension>

<Extension xmlparser>
    Module	xm_xml
</Extension>

<Extension json>
    Module	xm_json
</Extension>

<Input in>
    Module	im_file
    File	"C:\Program Files\Graylog\collector-sidecar\generated\exempleFichier.xml"
    SavePos	FALSE
    ReadFromLast FALSE
    InputType	multiline
    <Exec>
      # Discard everything that doesn't seem to be an xml event   
      if $raw_event !~ /^<event>/ drop();

      # Parse the xml event
      parse_xml();

      # Rewrite some fields 
      $EventTime = parsedate($timestamp);
      delete($timestamp);
      delete($EventReceivedTime);

      # Convert to JSON
      to_json();
    </Exec>
</Input>

<Output out>
    Module      om_udp
    Host        xx.xx.xx.xx
    Port        12201
</Output>

<Route 1>
    Path        in => out
</Route>

And my XML file tested:

<?xml version="1.0" encoding="UTF-8">
<event>
  <timestamp>2012-11-23 23:00:00</timestamp>
  <severity>ERROR</severity>
  <message>
    Something bad happened.
    Please check the system.
  </message>
</event>
<event>
  <timestamp>2012-11-23 23:00:12</timestamp>
  <severity>INFO</severity>
  <message>
   System state is now back to normal.
  </message>
</event>

Source: https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#xm_multiline_example_5