2

I am using nxlog to tail a custom log file on one of my Windows servers. Each entry in the text file looks similar to this.

===================================================================================================================
1/14/2014 3:08:48 PM DOMAIN\user1 adding group member...
    Domain: blah
    Group: TestGroup
    Member: CN=Joe Bob,CN=Users,DC=blah,DC=ARG,DC=com
1/14/2014 3:08:48 PM 1 member added.<br>
================================================================================================

I'm trying to send this log to my syslog server and I want to combine these multiple lines to 1 line so I can easily grep/search for specific users or groups. I've read some of the documentation on nxlog's website regarding multiline but haven't found a specific config to put them all in 1 entry with a syslog header.

Thanks, Eric

Eric
  • 1,373
  • 3
  • 17
  • 33

1 Answers1

4

Have not tested but I think you need something like this:

<Extension multi>
    Module  xm_multiline
    HeaderLine  /^================/
    EndLine     /^===============/
</Extension>

<Input in>
    Module      im_file
    File        "input.log"
    InputType   multi
    # Remove the boundary markers
    Exec        if $raw_event =~ s/========[=]+//g {}
    # Make a single line
    Exec        $raw_event = replace($raw_event, "\r\n", " ");
</Input>

<Output>
    Module      om_udp
    Host        1.2.3.4
    Port        514
    Exec        to_syslog_bsd();
</Output>

<Route>
  ....
b0ti
  • 986
  • 1
  • 6
  • 13
  • I tried a similar to config to this and receive the following error "ERROR HeaderLine and EndLine cannot be the same". If I put all of the = signs in for the front and end, it goes past that part and then errors on "Procedure 'replace()' does not exist or takes different arguments". – Eric Jun 05 '14 at 14:17
  • Slightly modified it. – b0ti Jun 05 '14 at 14:48
  • http://nxlog-ce.sourceforge.net/nxlog-docs/en/nxlog-reference-manual.html#xm_multiline – abc123 Aug 26 '14 at 17:05