v_2nas
February 14, 2018, 9:53am
1
Hi Folks,
I have successfully configured graylog with windows server using nxlog. I am able to see the logs coming in graylog. But there are some issues.
Windows log send data as raw text and xml.
graylog is able to pickup xml just fine and index the data in the fields and raw text goes into full_message and message fields.
some of the xml data is not in shape. kindly check the attached screenshot of field Failure reason.
How can i extract the Failure Reason and put inside another field?
jochen
February 14, 2018, 10:18am
2
What’s your NXLOG configuration?
v_2nas
February 16, 2018, 8:48am
3
Here is the nxlog config file. I am using collector to push the nxlog config to the nodes.
define ROOT C:\Program Files (x86)\nxlog
<Extension gelf>
Module xm_gelf
</Extension>
<Processor 5a71798664058a23adcfc294-buffer>
Module pm_buffer
MaxSize 16384
Type Mem
</Processor>
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
<Extension logrotate>
Module xm_fileop
<Schedule>
When @daily
Exec file_cycle('%ROOT%\data\nxlog.log', 7);
</Schedule>
</Extension>
<Input 5a71798664058a23adcfc294>
Module im_msvistalog
PollInterval 1
SavePos True
ReadFromLast True
Channel Security
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*[System[(EventID=4625)]]</Select>\
<Select Path="Security">*[System[(EventID=4740)]]</Select>\
<Select Path="Security">*[System[(EventID=4771)]]</Select>\
</Query>\
</QueryList>
</Input>
<Output 5a71779164058a23adcfc06b>
Module om_tcp
Host 172.17.1.87
Port 5044
OutputType GELF_TCP
Exec $short_message = $raw_event; # Avoids truncation of the short_message field.
Exec $gl2_source_collector = 'e6e5e646-e79c-4b46-8422-29503febae7b';
Exec $collector_node_id = server-pdc';
Exec $Hostname = hostname_fqdn();
</Output>
<Route route-0>
Path 5a71798664058a23adcfc294 => 5a71798664058a23adcfc294-buffer => 5a71779164058a23adcfc06b
</Route>
jochen
February 16, 2018, 10:19am
4
All select statements in a XPath query have to match.
Please refer to the following pages for details:
v_2nas
February 16, 2018, 11:02am
5
The queries are working fine as I am receiving the data. the question is how to get the fields in full message into graylog. There is some variation in full message data and xml data.
jtkarvo
February 16, 2018, 5:35pm
6
You can make a regex extractor for the missing fields. For example:
Match only when full_message contains FailureReason">
Regex something like "FailureReason"\>(>?([^<]*))\</Data\>
(add quote characters \ wherever needed)
v_2nas
February 17, 2018, 3:28am
7
Would it be possible to extract the line where failure reason: keyword comes in? Coz failure reason could be different even though it’s a same event.
jtkarvo
February 17, 2018, 3:28pm
8
If you have that in the full message, then you can extract that.
Try something like
Failure Reason:\s+(>?([^\s].*)$)
v_2nas
February 19, 2018, 5:09am
9
Thanks Jtkarvo, the regular expression did the trick.
system
March 5, 2018, 5:09am
10
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
