Nxlog Reference Manual
Nxlog Reference Manual
1131
Ed. v2.6.1131 i
Ed. v2.6.1131
Ed. v2.6.1131 ii
Contents
Introduction 1.1 1.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 1.2.2 1.2.3 1.2.4 1.2.5 1.2.6 1.2.7 1.2.8 1.2.9 Multiplatform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modular architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client-server mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Log message sources and destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Importance of security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scalable multi-threaded architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . High performance I/O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Message buffering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prioritized processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 1 1 1 1 2 2 2 2 2 2 3 3 3 3 3 3 4 4 4 4 5 5 6 6 6 6
1.2.10 Avoiding lost messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.11 Apache-style conguration syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.12 Built-in cong language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.13 Scheduled tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.14 Log rotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.15 Different log message formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.16 Advanced message processing capabilites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.17 Ofine processing mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.18 Character set and i18n support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Installation and quickstart 2.1 2.2 Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GNU/Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1 2.2.2 2.2.3 Installing from DEB packages (Debian, Ubuntu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing from RPM packages (CentOS, RedHat) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguring nxlog on GNU/Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ed. v2.6.1131 iv
7 7 7 8 9 9 9
Conguration 4.1 4.2 4.3 4.4 File inclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Constant and macro denitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Global directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.4.1 Common module directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.4.1.1 4.4.1.2 4.4.1.3 4.4.1.4 4.4.1.5 4.4.1.6 4.4.1.7 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 FlowControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Exec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 InputType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 OutputType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.5
Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5.2.1 5.2.2 5.2.3 Literals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.2.3.1 5.2.3.2 5.2.4 Unary operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Binary operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.3
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Statistical counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 List of available functions and procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.6.1 Functions and procedures exported by core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.6.1.1 5.6.1.2 5.6.2 Functions exported by core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Procedures exported by core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Ed. v2.6.1131 v
Modules 6.1
37
Extension modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 6.1.1 CSV (xm_csv) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 6.1.1.1 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 6.1.1.1.1 6.1.1.2 Specifying characters for quote, escape and delimiter . . . . . . . . . . . . . . . . . 38
Functions and procedures exported by xm_csv . . . . . . . . . . . . . . . . . . . . . . . . . . 39 6.1.1.2.1 6.1.1.2.2 Functions exported by xm_csv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Procedures exported by xm_csv . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.1.1.3 6.1.2
Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
JSON (xm_json) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 6.1.2.1 6.1.2.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Functions and procedures exported by xm_json . . . . . . . . . . . . . . . . . . . . . . . . . 41 6.1.2.2.1 6.1.2.2.2 6.1.2.3 Functions exported by xm_json . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Procedures exported by xm_json . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
6.1.3
XML (xm_xml) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 6.1.3.1 6.1.3.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Functions and procedures exported by xm_xml . . . . . . . . . . . . . . . . . . . . . . . . . . 43 6.1.3.2.1 6.1.3.2.2 6.1.3.3 Functions exported by xm_xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Procedures exported by xm_xml . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
6.1.4
Key-value pairs (xm_kvp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 6.1.4.1 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 6.1.4.1.1 6.1.4.2 Specifying characters for quote, escape and delimiter . . . . . . . . . . . . . . . . . 46
Functions and procedures exported by xm_kvp . . . . . . . . . . . . . . . . . . . . . . . . . . 47 6.1.4.2.1 6.1.4.2.2 Functions exported by xm_kvp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Procedures exported by xm_kvp . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6.1.4.3 6.1.5
Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.1.6
Character set conversion (xm_charconv) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6.1.6.1 6.1.6.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Functions and procedures exported by xm_charconv . . . . . . . . . . . . . . . . . . . . . . . 54 6.1.6.2.1 6.1.6.2.2 6.1.6.3 Functions exported by xm_charconv . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Procedures exported by xm_charconv . . . . . . . . . . . . . . . . . . . . . . . . . 55
Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.1.7
Ed. v2.6.1131 vi
6.1.7.2
Functions and procedures exported by xm_leop . . . . . . . . . . . . . . . . . . . . . . . . . 56 6.1.7.2.1 6.1.7.2.2 Functions exported by xm_leop . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Procedures exported by xm_leop . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.1.7.3 6.1.8
Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.1.9
Syslog (xm_syslog) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 6.1.9.1 6.1.9.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Functions and procedures exported by xm_syslog . . . . . . . . . . . . . . . . . . . . . . . . 68 6.1.9.2.1 6.1.9.2.2 6.1.9.3 6.1.9.4 Functions exported by xm_syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Procedures exported by xm_syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.1.10 External program execution (xm_exec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 6.1.10.1 Functions and procedures exported by xm_exec . . . . . . . . . . . . . . . . . . . . . . . . . 74 6.1.10.1.1 Procedures exported by xm_exec . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
6.1.10.2 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 6.1.11 Perl (xm_perl) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 6.1.11.1 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 6.1.11.2 Functions and procedures exported by xm_perl . . . . . . . . . . . . . . . . . . . . . . . . . . 77 6.1.11.2.1 Procedures exported by xm_perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6.1.11.3 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 6.2 Input modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 6.2.1 6.2.2 Fields generated by core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 DBI (im_dbi) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 6.2.2.1 6.2.3 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.2.4
File (im_le) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 6.2.4.1 6.2.4.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Functions and procedures exported by im_le . . . . . . . . . . . . . . . . . . . . . . . . . . 81 6.2.4.2.1 6.2.4.3 Functions exported by im_le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
6.2.5
6.2.6
Kernel (im_kernel) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
6.2.6.1 6.2.7
Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Mark (im_mark) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 6.2.7.1 6.2.7.2 6.2.7.3 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Fields generated by im_mark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
6.2.8
MS EventLog for Windows XP/2000/2003 (im_mseventlog) . . . . . . . . . . . . . . . . . . . . . . . . 85 6.2.8.1 6.2.8.2 6.2.8.3 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Fields generated by im_mseventlog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
6.2.9
MS EventLog for Windows 2008/Vista and later (im_msvistalog) . . . . . . . . . . . . . . . . . . . . . 88 6.2.9.1 6.2.9.2 6.2.9.3 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Fields generated by im_msvistalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
6.2.10 Null (im_null) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 6.2.11 TLS/SSL (im_ssl) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 6.2.11.1 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 6.2.11.2 Fields generated by im_ssl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 6.2.11.3 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 6.2.12 TCP (im_tcp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 6.2.12.1 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 6.2.12.2 Fields generated by im_tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 6.2.12.3 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 6.2.13 UDP (im_udp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 6.2.13.1 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 6.2.13.2 Fields generated by im_udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 6.2.13.3 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 6.2.14 Unix Domain Socket (im_uds) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 6.2.14.1 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 6.2.14.2 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 6.3 Processor modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 6.3.1 Blocker (pm_blocker) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 6.3.1.1 Functions and procedures exported by pm_blocker . . . . . . . . . . . . . . . . . . . . . . . . 96 6.3.1.1.1 6.3.1.1.2 6.3.1.2 6.3.2 Functions exported by pm_blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Procedures exported by pm_blocker . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Buffer (pm_buffer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 6.3.2.1 6.3.2.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Functions and procedures exported by pm_buffer . . . . . . . . . . . . . . . . . . . . . . . . 98 6.3.2.2.1 Functions exported by pm_buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.3.2.3 6.3.3
Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Event correlator (pm_evcorr) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 6.3.3.1 6.3.3.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
6.3.4
Filter (pm_lter) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 6.3.4.1 6.3.4.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.3.5
Message deduplicator (pm_norepeat) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 6.3.5.1 6.3.5.2 6.3.5.3 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Fields generated by pm_norepeat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6.3.6 6.3.7
Null (pm_null) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Pattern matcher (pm_pattern) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 6.3.7.1 6.3.7.2 6.3.7.3 6.3.7.4 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Pattern database le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Fields generated by pm_pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.3.8
Message format converter (pm_transformer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 6.3.8.1 6.3.8.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
6.4
Output modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 6.4.1 Blocker (om_blocker) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 6.4.1.1 6.4.2 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
DBI (om_dbi) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 6.4.2.1 6.4.2.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.4.3
Program (om_exec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 6.4.3.1 6.4.3.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.4.4
File (om_le) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 6.4.4.1 6.4.4.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Functions and procedures exported by om_le . . . . . . . . . . . . . . . . . . . . . . . . . . 117 6.4.4.2.1 6.4.4.2.2 6.4.4.3 Functions exported by om_le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Procedures exported by om_le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.4.5
HTTP(s) (om_http) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 6.4.5.1 6.4.5.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Functions and procedures exported by om_http . . . . . . . . . . . . . . . . . . . . . . . . . . 120 6.4.5.2.1 Procedures exported by om_http . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Ed. v2.6.1131 ix
Null (om_null) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 TLS/SSL (om_ssl) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 6.4.7.1 6.4.7.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
6.4.8
6.4.9
UDP (om_udp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 6.4.9.1 6.4.9.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
6.4.10 UDS (om_uds) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 6.4.10.1 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 6.4.10.2 Conguration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 7 Ofine log processing 7.1 8 125
Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 8.1.1 Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 8.1.1.1 8.1.1.2 8.1.1.3 Windows EventLog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Microsoft SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Microsoft IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 8.1.1.3.1 8.1.1.3.2 8.1.1.3.3 8.1.1.3.4 8.1.2 8.1.3 W3C Extended Log File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Microsoft IIS Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 NCSA Common Log File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 ODBC Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
8.2
8.3
Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 8.3.1 8.3.2 Using im_dbi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Using im_odbc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
8.4
Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Ed. v2.6.1131 x
8.5 8.6
External programs and scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 8.6.1 Apache HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 8.6.1.1 8.6.1.2 8.6.1.3 8.6.2 Error log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Access log - Common Log Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Access log - Combined Log Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Apache Tomcat and java application logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Cisco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 133
8.7
Processing logs 9.1 9.1.1 9.1.2 9.1.3 9.1.4 9.1.5 9.1.6 9.1.7 9.2 9.3
Parsing various formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 W3C Extended Log File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 NCSA Common Log File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 NCSA Combined Log Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 WebTrends Enhanced Log Format (WELF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Field delimited formats (CSV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 JSON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Parsing date and time strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Filtering messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 9.3.1 9.3.2 Using drop() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Filtering through pm_lter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Using module variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Using xm_multiline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Sending all messages to an external program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Invoking a script or program for each message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
9.4
9.5
Alerting, calling external scripts and programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 9.5.1 9.5.2 9.5.3
Rewriting and modifying messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Message format conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Character set conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Discarding messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
9.10 Rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 9.11 Buffering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 9.12 Pattern matching and message classication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 9.12.1 Regular expressions in the Exec directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 9.12.2 Using pm_pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 9.13 Event correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 9.14 Log rotation and retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 9.15 Explicit drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Ed. v2.6.1131 xi
146
10.1 Data format of the output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 10.2 Forwarding over the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 10.3 Sending to sockets and les . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 10.4 Storing logs in a database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 11 Tips and tricks 148
12.1 nxlogs internal logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 12.1.1 Check the contents of the LogFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 12.1.2 Injecting own logs into a route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 12.1.3 LogLevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 12.1.4 Running in foreground . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 12.1.5 Using log_info() in the Exec directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 12.2 Common problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 12.2.1 Missing logdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 12.2.2 nxlog failed to start, cannot read conguration le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 12.2.3 nxlog.log is in use by another application and cannot be accessed . . . . . . . . . . . . . . . . . . . . . 152 12.2.4 Connection refused when trying to connect to im_tcp or im_ssl . . . . . . . . . . . . . . . . . . . . . . . 152 12.3 Debugging and dumping messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Chapter 1
Introduction
1.1 Overview
Todays IT infrasturcture can be very demanding in terms of event logs. Hundreds of different devices, applications, appliances produce vast amounts of event log messages. These must be handled in real time, forwarded or stored in a central location after ltering, message classication, correlation and other typical log processing tasks. In most organizations these tasks are solved by connecting a dozen different scripts and programs which all have their custom format and conguration. nxlog is a high-performance multi-platform log management solution aimed at solving these tasks and doing it all in one place. nxlog can work in a heterogenous environment collecting event logs from thousands of different sources in many formats. nxlog can accept event logs from tcp, udp, le, database and various other sources in different formats such as syslog, windows event log etc. It can perform log rewrite, correlation, alerting, pattern matching, execute scheduled jobs, or even log rotation. It was designed to be able to fully utilize todays multi-core CPU systems. Its multi-threaded architecture enables input, log processing and output tasks to be executed in parallel. Using a high-performance I/O layer it is capable of handling thousands of simultaneous client connections and process log volumes above the 100.000 EPS range. nxlog tries hard to minimize loosing log messages, it does not drop any unless instructed to. It can process input sources in a prioritized order, meaning that a higher priority source will be always processed before others. This can further help avoiding UDP message loss for example. In case of network congestion or other log transmission problems, nxlog can buffer messages on the disk or in memory. Using loadable modules it supports different input sources and log formats, not only limited to syslog but windows event log, audit logs or even custom binary application logs. It is possible to further extend its functionality by using custom loadable modules similarly to the Apache Web server. In addition to the online log processing mode it can be used to process logs in batch mode in an ofine fashion. A powerful conguration language with an Apache style conguration le syntax enables it to rewrite logs, send alerts, execute external scripts or do virtually anything based on any criteria specied using the nxlog conguration language.
1.2
1.2.1
Features
Multiplatform
nxlog is built to utilize the Apache Portable Runtime Library (libapr), the same solid foundation as the Apache Webserver is built on which enables nxlog to run on many different operating systems including different Unix avors (Linux, HP-UX, Solaris, *BSD etc). It compiles and runs as a native Windows application without requiring the CygWin libraries on Microsoft Windows platforms.
1.2.2
Modular architecture
nxlog has a lightweight modular architecture, pluggable modules are available to provide different features and functions similarly to the Apache HTTP server. Log format parsers, transmission protocol handlers, database handlers and nxlog language extensions are such modules. A module is only loaded if it is necessary, this helps reduce memory as well. The core of nxlog only contains
code to handle les and sockets in addition to the conguration parser and the lightweight built-in language engine. All transport protocol handlers, format parsers (such as syslog) etc reside in modules. Modules have a common API, developers can easily write new modules and extend the functionality of nxlog.
1.2.3
Client-server mode
nxlog can act as a client and/or a server. It can collect logs from local les and the operating system then forward it to to a remote server. It can accept connections and receive logs over the network then write these to a database or les or forward it further. It all depends how it is congured.
1.2.4
In addition to reading from and writing to log les, nxlog supports different protocols on the network and transport layer such as TCP, UDP, TLS/SSL and Unix Domain Socket. It can both read and write from such sources and can convert between then, read input from an UDP socket and send out in TCP for example. Many database servers are supported (PostgreSQL, MySQL, Oracle, MsSQL, SqlLite, Sybase, etc) through database input and output modules so that log messages or data extracted from log messages can be stored or read from a database.
1.2.5
Importance of security
On unix systems nxlog can be instructed to run as a normal user by dorpping its root privileges. Modules requiring special privileges (e.g. kernel, tcp port bind below 1024) use Linux capabilites and do not require it to be running as root. To secure data and event logs, nxlog provides TLS/SSL transport so that messages cannot be intercepted and/or altered during transmission.
1.2.6
Using an event based architecture, tasks within nxlog are processed in a parallel fashion. Non-blocking I/O is used wherever possible and a worker thread pool takes care of handling ready to be processed log messages. Reading input, writing output and log processing (parsing, pattern matching, etc) are all handled in parallel. For example when single threaded syslog daemons block trying to write output to a le or database, UDP input will be lost. The multi-threaded architecture of nxlog not only avoids this problem but enables to fully utilize todays multi-core and multi-processor systems for maximum throughput.
1.2.7
Traditional POSIX systems provide the select(2) and/or poll(2) system calls to monitor le descriptors, unfortunately using these methods is not scalable. Modern operating systems have some I/O readiness notication API to enable handling a large number of open les and network connections simultaneously. nxlog is capable of using these high-performance I/O readieness notication APIs and can handle thousands of simultaneous network connections. Together with its massively multi-threaded architecture, this enables nxlog to process log messages from thousands of simultaneous network connections above the hundred thousand event per second (EPS) range.
1.2.8
Message buffering
When write blocks on the sending side, because of a network trouble for example, nxlog will throttle back on the input side using ow control. In some cases it is preferable that the logs are continued to be read on the input side, to avoid dropping UDP syslog messages for example. There is a module avalable which makes it possible to buffer log messages to disk and/or memory. When the problems are solved and the system is back in order and can send out messages faster then being received, then the buffer is automatically emptied. Together with the nxlog language it is also possible to do conditional buffering based on different parameters (time or system load for example).
1.2.9
Prioritized processing
Not all log sources are always equally important. Some systems send critical logs which should be processed at a higher priority than others. nxlog supports assigning priorites to log routes, this ensures that higher priority log messages are dealt with (read, processed and written/sent out) rst, only then are the messages with lower priorities handled. For example this can help avoiding the situation where a TCP input can overload the system leading to dropped incoming UDP syslog messages.
1.2.10
Built-in ow control ensures that nxlog does not drop log messages and you will not see any logs such as the following:
Dec 18 18:42:42 server syslog-ng[1234]: STATS: dropped 42
Though nxlog can be explicitly instructed to drop log messages depending on certain conditions in order to avoid a possible resource exhaustion or lter out unwanted messages. UDP syslog is a typical case where a message can be lost due to the nature of the UDP protocol. If the kernel buffer becomes full because it is not read, the operating system will drop any further received UDP messages. If a log processing system is busy processing logs, reading from TCP and UDP and writing to database or disk, the kernel UDP buffer can ll quickly. Utilizing the above mentioned parallel processing, buffering and I/O prioritization features it is possible to greatly reduce losing UDP syslog messages. Of course using TCP can help avoiding message loss, unfortunately there are many archaic devices which only support UDP syslog.
1.2.11
nxlog uses Apache style conguration le syntax. This format is in use by many other popular system daemons and tools as it is easy to read and/or generate by both humans and scripts.
1.2.12
A built-in conguration language enables administrators to create complex rules, format or rewrite messages or execute some action. Using this language it is possible to do virtually anything without the need to forward messages to an external script. Loadable modules can register their own procedures and functions to further extend the capabilities of the nxlog language. Perl is a highly popular language in solving log processing tasks. The built-in nxlog language is very similar in syntax to Perl. In addition to the normal operations it supports polymorphic functions and procedures, regular expressions with captured substrings. It should be fairly trivial to write and understand by people experienced in Perl programming unlike some macro based conguration languages found in other solutions.
1.2.13
Scheduled tasks
nxlog has a built-in scheduler similar to cron, but with more advanced capabilities to specify the timings. Using this feature, administrators can automate tasks such as log rotation or system health check from within nxlog without having to use external scheduler tools. Each module can schedule any number of actions to be executed through the built-in nxlog language.
1.2.14
Log rotation
Log les can be rotated by size or time without the need of external log rotation tools. Log rotation can also be scheduled in order to guarantee timely le rotation. The le input reader module supports external log-rotation scripts, it can detect when an input le was moved/renamed and will reopen its input. Similarly, the le output writer module can also monitor when the le being written to is rotated and will reopen its original output. This way it is possible to keep using external log rotation tools without the need to migrate to the built-in log rotation.
1.2.15
Nxlog supports both the older legacy syslog format (RFC 3164) and the newer IETF Syslog standard (RFC 5424) and it can also produce syslog in the Snare Agent format. nxlog is not only a syslog daemon but can handle many other protocols and log le formats such as Windows Event Log, Checkpoint logs through LEA, OS audit logs, log message data in comma separated (CSV) format or delimited, GELF, JSON, XML or custom application logs. It can parse and generate most of these formats as well. It is only a matter of selecting the appropriate log format parser. Log format parsers are also provided by loadable modules, nxlog will only use parsers which are congured and required for its log processing. For example if the log processing task does not deal with any syslog data, then there is no need to load the syslog module at all. Using regular expressions and string operation functions of the built-in nxlog language, any data can be extracted from log messages and can be converted to any format required. It is possible to congure nxlog in such a way that it reads log messages in one format then converts it internally to a different one and sends the output to another destination enabling on-the-y log conversion. For example it is possible to convert Windows Event Log to syslog on a Windows host and send it to a central syslog server. By using log format parser functions, nxlog can handle multi-line log messages (such as the Apache Tomcat log) or even custom binary formats. A special nxlog message format can preserve the parsed elds of log messages and transfer these across the network or store in les which alleviates the need to parse the messages again at the reception without loosing any information.
1.2.16
In addition to the features provided by the above mentioned built-in nxlog language, using additional modules nxlog is capable to solve all tasks related to log message processing such as message classication, event correlation, pattern matching, message ltering, rewrite, conditional alerting etc.
1.2.17
Sometimes messages need to be processed in an ofine fashion, convert log les to another format, lter out messages or load les into a database for log analysis purposes. nxlog can also work in an ofine mode when it processes log messages until there is no more input and then exits, so it is possible to do batch processing tasks with it as well. It is an important factor that in ofine mode the time of the event and the current time are not the same and are not even close. Many log processing tools assume the event time to be the current time, thus making ofine processing impossible. Due to network problems and buffering it is possible that log messages are not received instantly but with some delay. Making decisions based on event reception time instead of the timestamp provided in the message is a big mistake and can lead to false alarms in event correlation engines for example. By using the event time available in messages, nxlog can work properly in both ofine and online mode with log messages. This is escpecially important to be able to do proper time based event correlation in real-time and in ofine mode as well.
1.2.18
Log messages can be emitted in different languages and character sets. It is also a common problem that the messages use different character sets even for one language. For example Microsoft Windows systems use the UTF-16 character set, other systems can create messages using the UTF-8 encoding. UTF-8 has become a standard on Unix systems, yet some legacy applications and system settings create log messages using another codepage, for example latin-2 or ISO-8859-2 in Eastern Europe or EUC-JP in Japan. Comparing two strings in different character sets can likely fail. Also some database engines only support storing text data in one character set only, trying to insert text in a different character set can result in an error and data loss. It is a good practice to normalize logs to a common character set such as UTF-8 in order to overcome these problems. nxlog supports explicit character set conversion from one character set to another. In addition it can also detect the character set of a string and convert it to a specic character set. Using charset autodetection, nxlog is capable of normalizing log messages which can contain strings in mixed character sets even without knowing the exact encoding of the source log message.
Chapter 2
2.1
Microsoft Windows
Install the MSI pacakge Run the nxlog installer using the MSI package, accept the license agreement and click nish. Edit nxlog.conf The nxlog conguration le nxlog.conf is put under C:\Program Files\nxlog\conf or C:\Program Files (x86)\nxlog\conf on 64bit architectures. Using a text editor such as notepad.exe, open nxlog.conf. Verify the ROOT path in nxlog.conf The windows installer uses the C:\Program Files\nxlog directory for the installation. On 64bit machines this is C:\Program Files (x86)\nxlog. We refer to this as the ROOT path. Please verify the nxlog.conf conguration le and use the appropriate ROOT path:
define ROOT C:\Program Files\nxlog or define ROOT C:\Program Files (x86)\nxlog
Congure nxlog The most common use-case for nxlog on windows is to collect logs from the EventLog subsystem and forward it over the network. Here is a simple conguration which reads the EventLog and forwards it over UDP in the SNARE agent format.
<Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal </Input> <Input eventlog> Module im_msvistalog </Input> <Output out> Module Host Port Exec </Output> <Route 1>
Path </Route>
There are endless congurations for Windows systems depending on what to collect and how to send or store. Please read the relevant chapters from this manual: Reading and receiving logs Processing logs Forwarding and storing logs Start nxlog nxlog can be started using the following methods: Start the Service Manager, nd nxlog in the list. Select it and start the service. Double-click on nxlog.exe. Check the logs The default conguration instructs nxlog to write its own logs to the le located at C:\Program Files\ nxlog\data\nxlog.log or C:\Program Files (x86)\nxlog\data\nxlog.log. Open it with notepad.exe and check for errors. Note that some text editors (such as wordpad) need exclusive locking and will refuse to open the log le while nxlog is running.
2.2
2.2.1
GNU/Linux
Installing from DEB packages (Debian, Ubuntu)
Install the dependencies rst To list the dependencies, use the following command:
dpkg-deb -f nxlog_1.4.581_amd64.deb Depends
Then make sure all listed dependencies are installed. Alternatively you can run apt-get install -f after trying to install the package with dpkg and getting an error due to the missing dependencies. Install the deb package To install the deb package, issue the following command as root:
dpkg -i nxlog_1.4.581_amd64.deb
2.2.2
2.2.3
After the package is installed check and edit the conguration le located at /etc/nxlog.conf. It contains an example conguration which you will likely want to modify to suit your needs. Please read the relevant chapters from this manual on how to congure nxlog: Reading and receiving logs Processing logs Forwarding and storing logs
Chapter 3
For a few years we have been using a modied version of msyslog. It is also capable of using plugins for different inputs and outputs. Unfortunately, like many other syslog implementations, it was based on the BSD syslog with a single threaded architecture. Since it was a syslog daemon, everything had to be converted to syslog. We soon realized that something better is needed with the features required by a modern logging solution. We started looking for other solutions. There were a few possible alternatives to msyslog with some nice features (e.g. rsyslog, syslog-ng, etc), but none of them qualied. Most of them were still single threaded, syslog oriented without native support for MS Windows, in addition to awkward conguration syntax, ugly source-code and so on. So I decided that it would be easier for us on the long term to design and write nxlog from scratch instead of hacking something else. Thus nxlog was born in 2009 and has been a closed source product heavily used in several production deployments since. The source code of NXLOG Community Edition was released under the GPL/LGPL in November 2011.
3.2
Concepts
Most log processing solutions are built around the same concept. The input is read from a source, then the log messages are processed. Finally output is written or sent to a sink in other terminology. When an event occurs in an application or a device, depending on its conguration a log message is emitted. This is usually referred to as an "event log" or "log message". These log messages can have different formats and can be transmitted over different protocols depending on the actual implementation. There is one thing common in all event log messages. All contain important data such as user names, IP addresses, application names, etc. This way an event can be represented as a list of key-value pairs which we call a "eld". The name of the eld is the key and the eld data is the value. In another terminology this meta-data is sometimes referred to as event property or message tag. The following example illustrates a syslog message:
<30>Nov 21 11:40:27 log4ensics sshd[26459]: Accepted publickey for log4ensics from 192.168.1.1 port 41193 ssh2 
26459 sshd Accepted publickey for log4ensics from 192.168.1.1 port 41193 ssh2
nxlog will try to use the Common Event Expression standard for the eld names once the standard is stable. nxlog has a special eld, $raw_event. This eld is handled by the transport (UDP, TCP, File, etc) modules to read input into and write output from it. This eld is also used later to parse the log message into further elds by various functions, procedures and modules.
3.3
Architecture
By utilizing loadable modules, the plugin architecture of nxlog allows it to read data from any kind of input, parse and convert the format of the messages and then send it to any kind of output. Different input, processor and output modules can be used at the same time to cover all the requirements of the logging environment. The following gure illustrates the ow of log messages using this architecture.
Architecture The core of nxlog is responsible for parsing the conguration le, montitoring les and sockets, and managing internal events. It has an event based architecture, all modules can dispatch events to the core. The nxlog core will take care of the event and will optionally pass it to a module for processing. nxlog is a multi-threaded application, the main thread is responsible for monitoring les and sockets. These are added to the core by the different input and output modules. There is a dedicated thread handling internal events. It sleeps until the next event is to be processed then wakes up and dispatches the event to a worker thread. nxlog implements a worker thread-pool model. Worker threads receive an event which must be processed immediately. This way the nxlog core can centrally control all events and the order of their execution making prioritized processing possible. Modules which handle sockets or les are written to use non-blocking I/O in order to ensure that the worker threads never block. The les and sockets monitored by the main thread also dispatch events which are then delegated to the workers. Each event belonging to the same module is executed in sequential order, not concurrently. This ensures that message order is kept and gives a great benet of not having to deal with concurrency issues in modules. Yet the modules (worker threads) run concurrently, thus the global log processing ow is greatly parallelized. When an input module receives data, it creates an internal representation of the log message which is basically a structure containing the raw event data and any optional elds. This log message is then pushed to the queue of the next module in the route and an internal event is generated to signal the availability of the data. The next module after the input module in a route can be either a processor module or an output module. Actually an input or output module can also process data through built in code or using the nxlog language execution framework. The only difference is that processor modules are run in another worker thread, thus parallelizng log processing even more. Considering that processor modules can also be chained, this can efciently distribute work among multiple CPUs or CPU cores in the system.
Chapter 4
Conguration
nxlog uses Apache-style conguration les. The conguration le is loaded from its default location or it can be explicitly specied with the -c command line argument. The cong le is made up of blocks and directives. Blocks are similar to xml tags containing multiple directives. Directive names are case insensitive but arguments are not always. A directive and its argument must be specied on the same line. Values spanning multiple lines must have the newline escaped with the backslash "\". A typical case for this is the Exec directive. Blank lines are ignored. Lines starting with the hashmark "#" are comments and are ignored. The conguration le can be logically divided into three parts: global parameters, module denitions and their conguration and routes which link the modules together according to the data ow required.
4.1
File inclusion
Using the include directive it is possible to specify a le which will be included in the current cong le. Special care must be taken when specing les with relative lenames. The SpoolDir directive will only take effect after the conguration was parsed, so relative paths specied with the include directive are relative to the working directory where nxlog was started from. The include directive also supports wildcarded le names (e.g. *.conf) so that it is possible to include a set of les within a directory without the need to explicitly list all. Example 4.1 File inclusion example
include modules/module1.conf
4.2
Denes are useful if there are many instances in the code where the same value must be used, directory or host names are typical cases. In such cases the value can be congured with a single denition. This can be used to not only dene constants but any string like code snippets or parser rules. An nxlog dene works similarly as in C where the preprocessor substitutes the value in places where the macro is used, i.e. the nxlog conguration parser will rst replace all occurences of the dened name with its value, only after this substitution will the conguration check occur.
The following example shows an incorrect use if the dene directive. After substitution the drop() procedure will be always executed, only the warning message is emitted conditionally. Example 4.4 Incorrect use of a dene
define ACTION log_warning("dropping message"); drop(); <Input messages> Module im_file File /var/log/messages Exec if $raw_event =~ /dropme/ %ACTION% </Input>
To avoid this problem, the dened action should be one code block, i.e. it should be enclosed within curly braces:
define ACTION { log_warning("dropping message"); drop(); }
4.3
Global directives
ModuleDir By default the nxlog binaries have a compiled-in value for the directory to search for loadable modules. This can be overrridden with this directive. The module directory contains subdirectories for each module type (extension, input, output, processor) and the module binaries are located in those. PidFile Under Unix operating systems nxlog writes a pid le as other system daemons do. The default value can be overridden with this directive in case multiple daemon instances need to be running. This directive has no effect on MS Windows or with the nxlog-processor. LogFile nxlog will write its internal log to this le. If this directive is not specied, self logging is disabled. Not that the im_internal module can be also used to direct internal log messages to les or different output destinations, but this does not support loglevel below info. This LogFile directive is especially usefull for debugging. LogLevel This directive has ve possible values: CRITICAL, ERROR, WARNING, INFO, DEBUG It will set the logging level used for LogFile and the standard output if nxlog is started in the forground. By default the LogLevel is INFO. SuppressRepeatingLogs Under some circumstances it is possible for nxlog to generate an extreme amount of internal logs consisting of the same message due to a misconguration or software bug. This can lead to an extreme usage of disk space by LogFile and nxlog can quickly ll up the disk. With this directive nxlog will write at most 2 lines per second if the same message is generated successively by emitting last message repeated x times will suppress these messages. This directive takes a boolean value (TRUE or FALSE). If this directive is not specied in the cong le, it defaults to TRUE, i.e. repeating message suppression is enabled.
NoCache Some modules save data to a cache le which is persisted across a shutdown/restart. Modules such as im_le will save the le position in order to be able to continue reading from the same position where it left off after a restart. This caching mechanism can be explicitely turned off with this directive, this is mostly useful with the nxlog-processor in ofine mode. This directive takes a boolean value (TRUE or FALSE). If this directive is not specied in the cong le, it defaults to FALSE, i.e. caching is enabled. CacheDir This directive species a directory where the cache le called configcache.dat should be written to. This directive has a compiled-in value which is used by default. User nxlog will drop to user specied with this directive. This is useful if nxlog needs privileged access to some system resources such as kernel messages or port bind below 1024. On Linux systems it will use capabilites to be able to access these resources. In this case nxlog must be started as root. The user can be specied by name or by numeric id. This directive has no effect on MS Windows or with the nxlog-processor. Group Similar to User, nxlog will set the group ID to be running under. The group can be specied by name or by numeric id. This directive has no effect on MS Windows or with the nxlog-processor. RootDir nxlog will set its root directory to the value specied with this directive. If SpoolDir is also set, this will be relative to the value of RootDir, i.e. chroot() is called rst. This directive has no effect on MS Windows or with the nxlog-processor. SpoolDir nxlog will change its working directory to the value specied with this directive. This is useful with les created through relative lenames, e.g. with om_le and in case of core dumps. This directive has no effect with the nxlogprocessor. Threads This optional directive species the number of worker threads to use. The number of the worker threads is calculated and set to an optimal value if this directive is not dened. You should not set this unless you know what you are doing. FlowControl This optional boolean directive species whether all input and processor modules should use ow-control. This defaults to TRUE. See the description of the module level FlowControl directive for more information. NoFreeOnExit This directive has only a debugging purpuse. When set to TRUE, nxlog will not free module resources on exit. Otherwise valgrind is unable to show proper stack trace locations in module function calls. The default value is FALSE if not specied. IgnoreErrors If set to FALSE, nxlog will stop if it encounters a problem with the conguration le such as an invalid module directive or if there are other problems which would prevent all modules functioning correctly. If set to TRUE, nxlog will start after logging the problem. The default value is TRUE if the directive is not specied. Panic A panic condition is a critical state which usually indicates a bug. Assertions are used in nxlog code for checking conditions where the code will not work unless the asserted condition is satised. Failing assertions result in a panic and these also suggest a bug in the code. A typical case is checking for NULL pointers before pointer dereference. Assertions have also a security value. This directive can take three different values: HARD, SOFT or OFF. HARD will cause an abort in case the assertion fails. This is how most C based programs work. SOFT will cause an exception to be thrown at the place of the panic/assertion. In case of NULL pointer checks this is identical to a NullPointerException in Java. It is possible that nxlog can recover from exceptions and can continue to process log messages, or at least the other modules can. In case of assertion failure the location and the condition is printed at CRITICAL loglevel in HARD mode and ERROR loglevel in SOFT mode. If Panic is set to OFF, the failing condition is only printed in the logs but the execution will continue on the normal code path. Most of the time this will result in a segmentation fault or other undened behavior, though there can be a case where turning off a buggy assertion or panic lurking somewhere in the code will solve the problems caused by it in HARD/SOFT mode. The default value for Panic is SOFT.
4.4
Modules
nxlog will only load modules which are used and specied in the conguration le. The followin is a skeleton cong block for an input module:
<Input instancename> Module im_module ... </Input>
The instance name must be unique, can contain only the characters [a-zA-Z0-9_-]. The inctance name is referenced from the route denition as well as the Processors directive. Four types of modules exist in nxlog, these must be decalred with the Input, Processor, Output and Extension tags.
4.4.1
This directive is mandatory as it species which loadable binary should be loaded. The module binary has a .so extension on Unix and a .dll on MS Windows platforms and resides under the ModuleDir location. All module binary names are prexed with either im_, pm_, om_, xm_. These stand for input module, processor module, output module and extension module. It is possible that multiple instances use the same loadable binary. In this case the binary is only loaded once but instantiated multiple times. Different module instances may have different conguration.
4.4.1.2 FlowControl
This optional boolean directive species whether the module should be using ow-control. This can be used only in Input and Processor modules. Flow-control is enabled by default if this directive is not sepcied. This module-level directive can be used to override the global FlowControl directive. When ow-control is in effect, a module (input or processor) which tries to forward log data to the next module in the route will be suspended if the next module cannot accept more data. For example if a network module (e.g. om_tcp) cannot forward logs because of a network error, the proceeding module in the route will be paused. When ow-control is disabled, the module will drop the log record if the queue of the next module in the route is full. Disabling ow-control can be also useful when more output modules are congured to store or forward log data. When owcontrol is enabled, the output modules will only store/forward log data if all outputs are functional. Consider the case when log data is stored in a le using om_le and also forwarded over the network using om_tcp. When ow-control is enabled, a network disconnection will make the data ow stall and log data will not be written into the local le either. With ow-control disabled, nxlog will write log data to the le and will drop messages that the om_tcp network module cannot forward.
Note It is recommended to disable FlowControl when the im_uds module is used to collect local syslog from the /dev/log unix domain socket. Otherwise the syslog() system call will block in all programs which are trying to write to the system log if the Output queue becomes full and this will result in an unresponsive system.
4.4.1.3
Schedule
The Schedule block can be used to execute periodic jobs such as log rotation or any other task. Scheduled jobs have the same priority as the module. The schedule block has the following directives: When This directive takes a value similar to a crontab entry which consists of ve space separated denitions for minute, hour, day, month and weekday. See the crontab(5) manual for the eld denitions. It supports lists as comma separated values and/or ranges. Step values are also supported with the slash. Month and week days are not supported, these must be dened with numeric values. The following extensions are also supported:
@yearly @annually @monthly @weekly @daily @midnight @hourly Run once (same as Run once Run once Run once (same as Run once a year, "0 0 1 1 *". @yearly) a month, "0 0 1 * *". a week, "0 0 * * 0". a day, "0 0 * * *". @daily) an hour, "0 * * * *".
Every In addition to the crontab format it is possible to schedule execution at periodic intervals. With the crontab format it is not possible to run jobs every ve days for example, this directive enables it in a simple way. It takes an integer value with an optional unit. The unit can be one of the following: sec, min, hour, day, week. If the unit is not specied, the value is assumed to be in seconds. First This directive sets the rst execution time. If the value is in the past, the next execution time is calculated as if nxlog has been running since and jobs will not be run to make up the missed events in the past. The directive takes a datetime literal value. Exec The Exec directive takes one or more nxlog statement. This is the code which is actually being scheduled. Multiple Exec directives can be specied within one Schedule block, so this behaves the same as the Exec directive of the modules. See that for more details. Note that it is not possible to use elds in statements here because execution is not triggered by log messages. Example 4.5 Two scheduled jobs in the context of the im_tcp module
<Input in> Module im_tcp Port 2345 <Schedule> Every 1 sec First 2010-12-17 00:19:06 Exec log_info("scheduled execution at " + now()); </Schedule> <Schedule> When 1 */2 2-4 * * Exec log_info("scheduled execution at " + now()); </Schedule> </Input> <Output out> Module om_file File "tmp/output" </Output> <Route 1> Path in => out </Route>
4.4.1.4
Exec
The Exec directive contains statements in the nxlog language which are executed when a module receives a log message. This directive is available in all input, processor and output modules. It is not available in extension modules because these dont handle log messages directly. More than one Exec may be specied. In this case these are executed in the order of appearance. Due to the limitations of the apache conguration le format, each directive must be one line unless it contains a trailing backslash "\" character. Example 4.6 Exec statement spanning multiple lines
Exec if $Message =~ /something interesting/ \ log_info("found something interesting"); else log_debug("found nothing interesting"); \ \
Note You cannot split the lines in the rst example as the exec directive must contain a full statement. It is only possible to split the Exec arguments if it contains multiple statements as in the second example above.
4.4.1.5
Processors
This directive species the name of the registered input reader function to be used for parsing raw events from input data. Names are treated case insensitively. This is a common directive only for stream oriented input modules: im_le, im_exec, im_ssl, im_tcp, im_udp, im_uds. Note that im_udp may only work properly if log messages do not span multiple packets and log messages are within the UDP message size limit. Otherwise the loss of a packet may lead to parse errors. These modules work by lling an input buffer with data read from the source. If the read operation was successfull (i.e. there was data coming from the source), the module calls the specied callback function. If this is not explicitly specied, it will use the module default. Modules may provide custom input reader functions. Once these are registered into the nxlog core, the modules listed above will be capable of using these. This makes it easier to implement custom protocols because these can be developed without the need of taking care about the transport layer. The following input reader functions are provided by the nxlog core: LineBased The input is assumed to contain log messages separated by newlines. Thus if an LF (\n) or CRLF (\r\n) is found, the function considers that it has reached the end of the log message. Dgram Once the buffer is lled with data, it is considered to be one log message. This is the default for the im_udp input module, since UDP syslog messages arrive in separate packets. Binary The input is parsed in the nxlog binary format which is capable of preserving parsed elds of the log messages. The LineBased reader is capable of automatically detecting log messages in the Binary nxlog format, it is only recommended to congure InputType to Binary if no compatibility with other logging software is required.
4.4.1.7
OutputType
This directive species the name of the registered output writer function to be used for formatting raw events when sending to different destinations. Names are treated case insensitively. This is a common directive only for stream oriented output modules: om_le, om_exec, om_ssl, om_tcp, om_udp, om_uds. These modules work by lling the output buffer with data to be written to the destination. The specied callback function is called before the write operation. If this is not explicitly specied, it will use the module default. Modules may provide custom output formatter functions. Once these are registered into the nxlog core, the modules listed above will be capable of using these. This makes it easier to implement custom protocols because these can be developed without the need to take care about the transport layer. The following output writer functions are provided by the nxlog core: LineBased The output will contain log messages separated by newlines (CRLF). Dgram Once the buffer is lled with data, it is considered to be one log message. This is the default for the om_udp output module, since UDP syslog messages are sent in separate packets. Binary The output is written in the nxlog binary format which is capable of preserving parsed elds of the log messages. Example 4.9 TCP output sending messages in nxlog format
<Input in> Module im_file File "tmp/input" </Input> <Output out> Module om_tcp Port 2345 Host localhost OutputType Binary </Output> <Route 1> Path in => out </Route>
4.5
Routes
Routes dene the ow and processing order of the log messages. The route must have a name and a Path. The name is specied similarly to the instance name in a module block. Example 4.10 Route block
<Route example> Path in1, in2 => proc => out1, out2 </Route>
4.5.1
Priority
This directive is optional. It takes an integer value as a parameter, its value must be in the range of 1-100. It defaults to 10 if it is not explicitly specied. Log messages in routes with a lower priority value will be processed before others. Actually this value is assigned to each module part of the route. The internal events of the modules are processed in priority order by the nxlog engine, thus modules of a route with a lower priority value (higher priority) will process log messages rst. This directive can be especially usefull to minimize syslog UDP message loss for example. Example 4.11 Prioritized processing
<Input tcpin> Module im_tcp Host localhost Port 514 </Input> <Input udpin> Module im_udp Host localhost Port 514 </Input> <Output tcpfile> Module om_file File "/var/log/tcp.log" </Output> <Output udpfile> Module om_file File "/var/log/udp.log" </Output> <Route udp> Priority 1 Path udpin => udpfile </Route> <Route tcp> Priority 2 Path tcpin => tcpfile </Route>
4.5.2
Path
The Path directive is where the data ow is dened. First the instance name of input modules are specied. If more than one input reads log messages which fed data into the route, then these must be separated by a comma. Input modules are followed by an arrow "=>" sign. Either processor modules or output modules follow. Processor modules must be separated by arrows, not commas, because they receive log messages in order, unlike input and output modules which work in parallel. Output modules are separated by commas. The syntax for the PATH directive is illustrated by the following:
Path INPUT1[, INPUT2...] => [PROCESSOR1 [=> PROCESSOR2...] =>] OUTPUT1[, OUTPUT2...]
The Path must contain at least an input and an output module. The following example shows different routes. Example 4.12 Different routes
<Input in1> Module im_null </Input> <Input in2> Module im_null </Input> <Processor p1> Module pm_null </Processor> <Processor p2> Module pm_null </Processor> <Output out1> Module om_null </Output> <Output out2> Module om_null </Output> <Route 1> # no processor modules Path in1 => out1 </Route> <Route 2> # one processor module Path in1 => p1 => out1 </Route> <Route 3> # multiple modules Path in1, in2 => p1 => p2 => out1, out2 </Route>
Chapter 5
Language
The nxlog core contains support for using a built-in interpreted language. This language can be used to make complex decisions or build expressions in the nxlog conguration le. The code written in the nxlog language is similar to Perl which is a common tool for developers and administrators to solve log processing tasks. When nxlog starts and reads its conguration le, directives containing nxlog language code are parsed and compiled into a pseudo-code. If a syntax error is found, nxlog will print the error. The pseudo-code is then evaluated at run-time, similarly to other interpreted languages. The nxlog language can be used in two ways. Some module directives (e.g. le names) require a value, for these expressions can be used if supported by the module. Other directives such as Exec take a statement or statements as argument. In addition to the built-in functions and procedures provided by the nxlog core, modules can register additional functions and procedures. This enables developers to extend the language through loadable modules so that additional processing features can be executed such as message formatters and parsers or data lookup functions. Due to the simplicity of the language there is no error handling (except for function return values) available to the administrator. If an error occurs during the execution of the nxlog pseudo-code, usually the error is printed in the nxlog logs. If an error occurs during log message processing it is also possible for the message to be dropped. In case sophisticated error handling or more complex processing is a requirement, the message processing can be implemented in an external script or program, in a dedicated nxlog module or in perl via the xm_perl module.
5.1
Types
The nxlog language is a typed language, this allows stricter syntax checking when parsing the conguration while trying to enforce type-safety. Though elds and some functions can return values with a type which can only be determined at run-time. The language provides only simple types, complex types such as arrays and hashes (associative arrays) are not supported. See xm_perl if you require such complex processing rules. The language also supports the undened value similarly to Perl. The following types are provided by the nxlog language: Unknown This is a special type for values where the type cannot be determined at compile time and for values which are uninitialized. The undef literal and elds without a value have also an unknown type. The unknown type can be also thought of as any in case of function and procedure api declarations. Boolean A boolean value which is either TRUE, FALSE or undened. Note that an undened boolean is not the same as a FALSE value. Integer An integer which can hold a signed 64 bit value in addition to the undened value. Floating point values are not supported. String A string is an array of characters in any character set. The binary type should be used for values where the NUL byte can also occur. An undened string is not the same as an empty string. Strings have a limited length to prevent resource exhaustion problems, this is a compile-time value currently set to 1M. Datetime A datetime holds a microsecond value elapsed since the Epoch and is always stored in UTC/GMT.
IPv4 Address Stores a dotted quad IPv4 address in an internal format (integer). IPv6 Address Stores an IPv6 address in an internal format. Regular expression A regular expression can only be used with the =~ or !~ operators. Binary This type can hold an array of bytes. Variadic arguments This is a special type only used in function and procedure api declarations to indicate variadic arguments.
5.2
Expressions
Expressions are a subset of the nxlog languge. Some module directives take an expression as a parameter which is then dynamically evaluated at run-time to a value. Expressions can also be used in statements. The following language elements are expressions: literals, elds, binary and unary operations, functions. In addition, brackets can be used around expressions as shown in the example below. Brackets can also help in writing more readable code. Example 5.1 Using brackets around expressions
if 1 + 1 == (1 + 1) log_info("2"); if (1 + 1) == (1 + 1) log_info("2"); if ((1 + 1) == (1 + 1)) log_info("2");
5.2.1
Literals
A literal is a representation of a xed value. A literal is an expression. Undef The undef literal has an unknown type. It can be also used in an assignment to unset a value of a eld, for example: Example 5.2 Unsetting a value of a eld
$ProcessID = undef;
Boolean A boolean literal is either TRUE or FALSE. It is case insensitive, so True, False, true, false are also valid. Integer An integer starts with a minus "-" sign if it is negative. The "0X" or "0x" prepended modier means a hexadecimal notation. The "K", "M" and "G" modiers are also supported which can be appended to mean Kilo (1024), Mega (10242) and Giga (10243). Example 5.3 Setting an integer value
$Limit = 42M;
String String literals are quoted characters using either single or double quotes. String literals specied with double quotes can contain the following escape sequences. \\ The backslash (\) character. \" The double quote (") character. \n Line feed (LF). \r Carriage return (CR). \t Horizontal tab. \b Audible bell.
\xXX A single byte in the form of a two digit hexadecimal number. For example the line-feed character can also be expressed as \x0A.
Note String literals in single quotes do not process the escape sequences. "\n" is a single character (LF) while \n is two characters. The following comparison is FALSE for this reason:
"\n" == \n
Extra care should be taken with the backslash when using double quoted string literals to specify le paths on windows. See this note for the le directive of im_le about the possible complications.
Regular expression Regular expressions must be quoted with slashes as in Perl. Captured substrings are accessible through a numeric reference such as $1. The full subject string is placed into $0. Example 5.5 A regular expression match operation
if $Message =~ /^Test (\S+)/ log_info("captured: " + $1);
Datetime The datetime literal is an unquoted representation of a time value expressing local time in the format of YYYY-MMDD hh:mm:ss Example 5.6 Setting a datetime value
$EventTime = 2000-01-02 03:04:05;
IPv4 Address An IPv4 literal value is expressed in dotted quad notation such as 192.168.1.1. IPv6 Address An IPv6 literal value is expressed by 8 groups of 16-bit hexadecimal values separated by colons (:) such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
5.2.2
Fields
A log message can be broken up into elds by parsers or is already emitted as a list of elds as discussed earlier. The eld has a name and in the nxlog language it is represented with the dollar "$" sign prepended to the name of the eld, similarly to Perls scalar variables. The name of the eld is allowed to have the following characters:
[[:alpha:]_][[:alnum:]\._]*
A eld which does not exist has an unknown type. A eld is an expression which evaluates to a value. Fields are only available in an evaluation context which is triggered by a log message. For example using a value of a eld in the Exec directive of a schedule block will result in a run-time error because this scheduled execution is not triggered by a log message. Fields are passed along the route and are available in each successive module in the chain. Eventually the output module is responsible for writing these. Stream oriented modules emit the data contained in $raw_event unless OutputType is set to something else (i.e. Binary).
5.2.3
Operations
Similarly to other programming languages and especially Perl, the nxlog language has unary and binary operations which are expressions and evaluate to a value.
5.2.3.1
Unary operations
Unary operations work with a single operand. Currently the following unary operations are available. It is possible to use brackets around the operand to which makes it look like a function call as in this example. not The not operator expects a boolean value. It will evaluate to undef if the value is undened. If it receives an unknown value which evaluates to a non-boolean, it will result in a run-time execution error. Example 5.7 Typical use of the not operand
if not $success log_error("failure");
- The unary negation operator before an integer is very similar to a negative integer, except that two or more minus "-" signs are not valid for an integer literal. Example 5.8 Unary negation
if - -1 != 1 log_error("this should never be printed");
dened The dened operation will evaluate to TRUE if the operand is dened, otherwise it is FALSE. Example 5.9 Use of the unary dened operation
if defined 1 log_info("1"); if defined(2) log_info("2"); if defined undef log_info("never printed");
5.2.3.2
Binary operations
Binary operations work with two operands and evaluate to a value. The type of the evaluated value depends on the type of the operands. Execution might result in a run-time error if the type of the operands are unknown at compile time and evaluate to types which are incompatible with the binary operation. The operations are described with the following syntax:
TYPE_OF_LEFT_OPERAND BINARY_OPERATION TYPE_OF_RIGHT_OPERAND = TYPE_OF_EVALUATED_VALUE
Below is a list of currently supported binary operations. =~ This is the regular expression match operation as in Perl. It takes a string and a regexp operand and evaluates to a boolean value which is TRUE if the regular expression matches the subject string. Captured substrings are accessible through a numeric reference such as $1. The full subject string is placed into $0. string =~ regexp = boolean regexp =~ string = boolean Example 5.10 Regular expression based string matching
if $Message =~ /^Test message/ log_info("matched");
Regexp based string substitution is also supported with the s/// operator. The /g modier can be used for global replacement. Variables and captured substring references cannot be used inside the reqular expression or the regexp substitution operator and will be treated literally as is.
!~ This is the opposite of =~, the expression will evaluate to TRUE if the regular expresion does not match on the subject string. It can be also written as not LEFT_OPERAND =~ RIGHT_OPERAND string !~ regexp = boolean regexp !~ string = boolean The s/// substitution operator is also supported. Example 5.12 Regular expression based string matching
if $Message !~ /^Test message/ log_info("didnt match");
== This operator compares two values for equality. Comparing a dened value with an undened results in undef! undef == undef = TRUE string == string = boolean integer == integer = boolean boolean == boolean = boolean datetime == datetime = boolean Example 5.13 Comparing integers
if $SeverityValue == 1 log_info("severity is one");
!= This operator compares two values for inequality. Comparing a dened value with an undened results in undef! undef != undef = FALSE string != string = boolean integer != integer = boolean boolean != boolean = boolean datetime != datetime = boolean Example 5.14 Comparing for inequality
if $SeverityValue != 1 log_info("severity is not one");
< This operation will evaluate to TRUE if the left operand is less than the operand on the right, FALSE otherwise. Comparing a dened value with an undened results in undef! integer < integer = boolean datetime < datetime = boolean Example 5.15 Less
if $SeverityValue < 1 log_info("severity is less than one");
<= This operation will evaluate to TRUE if the left operand is less than or equal to the operand on the right, FALSE otherwise. Comparing a dened value with an undened results in undef! integer <= integer = boolean datetime <= datetime = boolean Example 5.16 Less or equal
if $SeverityValue < 1 log_info("severity is less than or equal to one");
> integer > integer = boolean datetime > datetime = boolean Example 5.17 Greater
if $SeverityValue > 1 log_info("severity is greater than one");
>= integer >= integer = boolean datetime >= datetime = boolean Example 5.18 Greater or equal
if $SeverityValue >= 1 log_info("severity is greater than or equal to one");
and This is the boolean and operation which evaluates to TRUE if and only if both operands are TRUE. The operation will evaluate to undef if either operand is undened. boolean and boolean = boolean Example 5.19 And operation
if $SeverityValue == 1 and $FacilityValue == 2 log_info("1 and 2");
or This is the boolean and operation which evaluates to TRUE if either operand is TRUE. The operation will evaluate to undef if both operands are undened. boolean or boolean = boolean Example 5.20 Or
if $SeverityValue == 1 or $SeverityValue == 2 log_info("1 or 2");
+ This operation will result in an integer if both operands are integers. If either operand is a string, the result will be a string where non-string typed values are converted to a string. In this case it acts as a concatenation operator (which is the dot "." operator in Perl). Adding an undened value to a non-string will result in undef. integer + integer = integer string + undef = string
undef + string = string undef + undef = undef string + string = string Concatenate two strings. datetime + integer = datetime Add the number of seconds in the right value to the datetime stored in the left value. integer + datetime = datetime Add the number of seconds in the left value to the datetime stored in the right value. Example 5.21 Concatenation
if 1 + "a" == "1a" log_info("this will be printed");
- Subtraction. The result will be undef if either operand is undened. integer - integer = integer Subtract two integers. datetime - datetime = integer Subtract two datetime types. The result is the difference between to two expressed in microseconds. datetime - integer = datetime Subtract the number of seconds from the datetime stored in the left value. Example 5.22 Subtraction
if 4 - 1 == 3 log_info("four minus one is three");
* Multiply an integer with another. The result will be undef if either operand is undened. integer * integer = integer Example 5.23 Multiplication
if 4 * 2 == 8 log_info("four times two is eight");
/ Divide an integer with another. The result will be undef if either operand is undened. Since the result is an integer, fractional parts are lost. integer / integer = integer Example 5.24 Division
if 9 / 4 == 2 log_info("9 divided by 4 is 2");
% This is the modulo operation. Divides an integer with another and returns the remainder. The result will be undef if either operand is undened. integer % integer = integer Example 5.25 Modulo
if 3 % 2 == 1 log_info("three mod two is one");
5.2.4
Functions
A function is an expression which always returns a value. A function cannot be used without using its return value. In contrast to procedures, a function never modies its arguments, the state of the nxlog engine or the state of a module. Functions can be polymorphic, the same function can take different arguments. Some functions also support variadic arguments denoted by the varargs argument type. See the list of available functions. Example 5.26 Function call
$current.time = now(); if now() > 2000-01-01 00:00:00 log_info("we are in the 21st century");
5.3
Statements
Directives such as Exec take a statement as argument. After a statement is evaluated, usually the result will be a change in the state of the nxlog engine, the state of a module or the log message. A statement is terminated by a semicolon ";". Multiple statements can be specied and these will be evaluated and executed in order. The following elements can be used in statements. There is no loop operation (for, while) in the nxlog language.
5.3.1
Assignment
The assignment operation "=" loads the value from the expression evaluated on the right into a eld on the left. Example 5.27 Assignment
$event.rcvd = now();
5.3.2
Block
A block consists of one or more statements within curly braces "{}". This is typically used with conditional statements as in the example below. Example 5.28 Conditional statement block
if now() > 2000-01-01 00:00:00 { log_info("we are in the"); log_info("21st century"); }
5.3.3
Procedures
Though both functions can take arguments, procedures are the opposite of function calls. Procedures never return a value, thus these can be used as statements. A procedure can modify its argument if it is a eld, or it can modify the state of the nxlog engine, the state of a module or the log message. Procedures can also be polymorphic, the same procedure can take different arguments. Some procedures also support variadic arguments denoted by the varargs argument type. See the list of available procedures. Example 5.29 Procedure call
log_info("this is a procedure call");
5.3.4
If-Else
A conditional statement starts with the "if" keyword followed by a boolean expression and a statement. The "else" with another statement is optional. Brackets around the expression are also optional. Example 5.30 Conditional statements
if now() > 2000-01-01 00:00:00 log_info("we are in the 21st century"); # same as above but with brackets if ( now() > 2000-01-01 00:00:00 ) log_info("we are in the 21st century"); # conditional statement block if now() > 2000-01-01 00:00:00 { log_info("we are in the 21st century"); } # conditional statement block with an else branch if now() > 2000-01-01 00:00:00 { log_info("we are in the 21st century"); } else log_info("we are not yet in the 21st century");
Simliarly to Perl, the nxlog language doesnt have a switch statement. This can be accomplished by the appropriate use of conditional if-else statements as in the example below. Example 5.31 Emulating switch with if-else
if ( $value == 1 ) log_info("1"); else if ( $value == 2 ) log_info("2"); else if ( $value == 3 ) log_info("3"); else log_info("default");
Note The Perl shorthand "elsif" is not supported. There is no "unless" either.
5.4
Variables
Fields are not persistent because the scope of these is the log message itself, though elds can be used for storing temporary data during the processing of one log message or to pass values across modules along the route. Unfortunately if we need to store some value persistently, for example to set a state on a condition, then the elds cannot be used. The nxlog engine supports module variables for this purpose. A module variable is referenced by a string value. A module variable can only be accessed from the same module due to concurrency reasons. A module variable with the same name is a different variable when referenced from another module. A module variable can be created with an expiry value or it can have an innite lifetime. If a variable is created with a lifetime, it will be destroyed automatically when the lifetime expires. This can be also used as a means of a garbage collection method, or it can reset the value of the variable automatically. The module variables can store values of any type. Module variables are supported by all modules automatically. See create_var(), delete_var(), set_var() and get_var() for using module variables.
Example 5.32 Simple event correlation using module variables If the number of login failures exceeds 3 within 45 seconds, then we generate an internal log message.
if $Message =~ /login failure/ { if not defined get_var(login_failures) { # create the variable if it doesnt exist create_var(login_failures, 45); set_var(login_failures, 1); } else { # increase the variable and check if it is over the limit set_var(login_failures, get_var(login_failures) + 1); if get_var(login_failures) >= 3 log_warning("3 or more login failures detected within 45 seconds"); } }
Note that this method is a bad example for this task, becuase the lifetime of the variable is not affected by set_var(). For example if there is one login failure at time 0s, then three login failures at 45s, 46s and 47sec, then this algorithm will not be able to detect this, because the variable will be automatically cleared at 45s, and the last three login failures are not noticed even though they happened within 3 seconds. Also note that this method can only work in real time because the timing is not based on values available in the log message, though this can be reprogrammed by storing the event time in another variable.
5.5
Statistical counters
Statistical counters are similar to variables but these only support integers. The difference is that statistical counters can use different algorithms to recalculate their value every time they are updated or read. A statistical counter can be created with the create_stat() procedure calls. The following types are available for statistical counters: COUNT This will aggregate the values added, so the value of the counter will increase if only positive integers are added until the counter is destroyed, or indenitely if the counter has no expiry. COUNTMIN This will calculate the minimum value of the counter. COUNTMAX This will calculate the maximum value of the counter. AVG This algorithm calculates the average over the specied interval. AVGMIN This algorithm calculates the average over the specied interval and the value of the counter is always the lowest which was ever calculated during the lifetime of the counter. AVGMAX Similar to AVGMIN but returns the highest value calculated during the lifetime of the counter. RATE This calculates the value over the specied interval, can be used to calculate events per second (EPS) values. RATEMIN Will return the lowest rate calculated during the lifetime of the counter. RATEMAX Will return the highest rate calculated during the lifetime of the counter. GRAD This calculates the change of the rate of the counter over the specied interval, which is the gradient. GRADMIN Lowest gradient calculated during the lifetime of the counter. GRADMAX Highest gradient calculated during the lifetime of the counter. A statistical counter will only return a value if the time specied in the interval argument has elapsed since it was created. Statistical counters can be also created with a lifetime. When they expire, they will be destoryed similarly to module variables. After a statistical counter is created, it can be updated with the add_stat() procedure call. The value of the counter can be read with the get_stat() function call. The value of the statistical counter is recalculated during these calls, but it does never happen
automatically in a timed fashion, so this can lead to slight distortion of the calculated value if the add and read operations are infrequent. Another feature of statistical counters is that it is possible to specify a time value both during creation, update and read making ofine log processing possible. Example 5.33 Simple event correlation using statistical counters If the number of login failures exceeds 3 within 45 seconds, then we generate an internal log message. This accomplishes the exact same task as our previous algorithm did with module variables, except that this is a lot simpler. In addition, this method is more precise, because it uses the timestamp from the log message instead of relying on the current time, so it is possible to use this for ofine log analysis as well.
if $Message =~ /login failure/ { # create will no do anything if the counter already exists create_stat(login_failures, RATE, 45, $EventTime); add_stat(login_failures, 1, $EventTime); if get_stat(login_failures, $EventTime) >= 3 log_warning("3 or more login failures detected within 45 seconds"); }
Note that this is still not perfect because the time window used in the rate calculation does not shift, so the problem described in our previous example also affects this version and it is possible that this algorith does not work in some situations.
5.6
5.6.1
5.6.1.1
string lc(string arg); description Convert a string to lower case. arguments arg type: string return type string string uc(string arg); description Convert a string to upper case. arguments arg type: string return type string datetime now(); description Return the current time. return type datetime string type(unknown arg); description Returns the type of a variable. Can be "boolean", "integer", "string", "datetime", "ip4addr", "ip6addr", "regexp", "binary". For values with the unknown type, it returns undef. arguments arg type: unknown
return type string integer microsecond(datetime datetime); description Return the microsecond part from the time value. arguments datetime type: datetime return type integer integer second(datetime datetime); description Return the second part from the time value. arguments datetime type: datetime return type integer integer minute(datetime datetime); description Return the minute part from the time value. arguments datetime type: datetime return type integer integer hour(datetime datetime); description Return the hour part from the time value. arguments datetime type: datetime return type integer integer day(datetime datetime); description Return the day part from the time value. arguments datetime type: datetime return type integer integer month(datetime datetime); description Return the month part from the datetime value. arguments datetime type: datetime return type integer integer year(datetime datetime); description Return the year part from the datetime value. arguments datetime type: datetime return type integer datetime fix_year(datetime datetime); description Set year value to current in a datetime which was parsed with a missing year such as BSD syslog or cisco timestamps. arguments
datetime type: datetime return type datetime integer dayofweek(datetime datetime); description The number of days since Sunday in the range of 0-6. arguments datetime type: datetime return type integer integer dayofyear(datetime datetime); description Return the day number of the year in the range of 1-366. arguments datetime type: datetime return type integer string string(unknown arg); description Convert the argument to string. arguments arg type: unknown return type string integer integer(unknown arg); description Parse and convert the string argument to an integer. For datetime type it returns the number of microseconds since epoh arguments arg type: unknown return type integer datetime datetime(integer arg); description Convert the integer argument expressing the number of microseconds since epoch to datetime. arguments arg type: integer return type datetime datetime parsedate(string arg); description Parse a datetime argument. Returns an undened datetime type if it cannot parse the argument so that the user can x the error, e.g. $EventTime = parsedate($somestring); if not dened($EventTime) $EventTime = now(); arguments arg type: string return type datetime string strftime(datetime datetime, string fmt); description Convert a datetime to a string with the given format. See the manual of strftime(3) for the format specication. arguments datetime type: datetime fmt type: string return type string
datetime strptime(string input, string fmt); description Convert a string to a datetime with the given format. See the manual of strptime(3) for the format specication. arguments input type: string fmt type: string return type datetime string hostname(); description Return the hostname (short form). return type string string hostname_fqdn(); description Return the FQDN hostname. This function will return the short form if the FQDN hostname cannot be determined. return type string unknown get_var(string varname); description Return the value of the variable or undef if it doesnt exist. arguments varname type: string return type unknown integer get_stat(string statname); description Return the value of the statistical counter or undef if it doesnt exist. arguments statname type: string return type integer integer get_stat(string statname, datetime time); description Return the value of the statistical counter or undef if it doesnt exist. The time argument species the current time. arguments statname type: string time type: datetime return type integer ip4addr ip4addr(integer arg); description Convert the integer argument to an ip4addr type. arguments arg type: integer return type ip4addr ip4addr ip4addr(integer arg, boolean ntoa); description Convert the integer argument to an ip4addr type. If ntoa is set to true, the integer is assumed to be in network byte order. Instead of 1.2.3.4 the result will be 4.3.2.1. arguments arg type: integer ntoa type: boolean
return type ip4addr string substr(string src, integer from); description Return the string starting at the byte offset specied in from. arguments src type: string from type: integer return type string string substr(string src, integer from, integer to); description Return a substring specied with the starting and ending positions as byte offsets from the beginning of the string. arguments src type: string from type: integer to type: integer return type string string replace(string subject, string src, string dst); description Replace all occurences of src with dst in the subject string. arguments subject type: string src type: string dst type: string return type string string replace(string subject, string src, string dst, integer count); description Replace count number occurences of src with dst in the subject string. arguments subject type: string src type: string dst type: string count type: integer return type string integer size(string str); description Return the size of the string str in bytes. arguments str type: string return type integer boolean dropped(); description Return TRUE if the currently processed event has been already dropped. return type boolean
5.6.1.2
log_debug(unknown arg, varargs args); description Print the argument(s) at DEBUG log level. arguments arg type: unknown args type: varargs debug(unknown arg, varargs args); description Print the argument(s) at DEBUG log level. Same as log_debug(). arguments arg type: unknown args type: varargs log_info(unknown arg, varargs args); description Print the argument(s) at INFO log level. arguments arg type: unknown args type: varargs log_warning(unknown arg, varargs args); description Print the argument(s) at WARNING log level. arguments arg type: unknown args type: varargs log_error(unknown arg, varargs args); description Print the argument(s) at ERROR log level. arguments arg type: unknown args type: varargs delete(unknown arg); description Delete the eld from the event, i.e. delete($eld). Note that doing $eld = undef is not the same, though after both operations the eld will be undened. arguments arg type: unknown create_var(string varname); description Create a module variable with the specied name. The variable will be created with an innite lifetime. arguments varname type: string create_var(string varname, integer lifetime); description Create a module variable with the specied name with the lifetime given in seconds. If the lifetime expires, the variable is deleted automatically and get_var(name) will return undef. arguments varname type: string
lifetime type: integer create_var(string varname, datetime expiry); description Create a module variable with the specied name. Expiry species when the variable should be deleted automatically. arguments varname type: string expiry type: datetime delete_var(string varname); description Delete the module variable with the specied name if it exists. arguments varname type: string set_var(string varname, unknown value); description Set a value of a module variable. If the variable does not exist, it will be created with an innite lifetime. arguments varname type: string value type: unknown create_stat(string statname, string type); description Create a module statistical counter with the specied name using the current time. The statistical counter will be created with an innite lifetime. The type argument can be any of the following to select the required algorithm for calculating the value of the statistical counter: COUNT, COUNTMIN, COUNTMAX AVG, AVGMIN, AVGMAX, RATE, RATEMIN, RATEMAX, GRAD, GRADMIN, GRADMAX. See the statistical counters section for the description of these. This procedure with two parameters can only be used with COUNT, otherwise the interval parameter must be specied. arguments statname type: string type type: string create_stat(string statname, string type, integer interval); description Create a module statistical counter with the specied name to be calculated over interval seconds and using the current time. The statistical counter will be created with an innite lifetime. arguments statname type: string type type: string interval type: integer create_stat(string statname, string type, integer interval, datetime time); description Create a module statistical counter with the specied name to be calculated over interval seconds and the time value specied in the argument named time. The statistical counter will be created with an innite lifetime. arguments statname type: string type type: string interval type: integer time type: datetime
create_stat(string statname, string type, integer interval, datetime time, integer lifetim
description Create a module statistical counter with the specied name to be calculated over interval seconds and the time value specied in the argument named time. The statistical counter will expire after lifetime seconds. arguments statname type: string type type: string interval type: integer time type: datetime lifetime type: integer
create_stat(string statname, string type, integer interval, datetime time, datetime expiry description Create a module statistical counter with the specied name to be calculated over interval seconds and the time value specied in the argument named time. The statistical counter will expire at expiry. arguments statname type: string type type: string interval type: integer time type: datetime expiry type: datetime add_stat(string statname, integer value); description Add value to the statistical counter using the current time. arguments statname type: string value type: integer add_stat(string statname, integer value, datetime time); description Add value to the statistical counter using the time specied in the argument named time. arguments statname type: string value type: integer time type: datetime sleep(integer interval); description Sleep the specied number of microseconds. This procedure is provided for testing purposes mostly. It can be used as a poor mans rate limiting tool, though its use is not recommended. arguments interval type: integer drop(); description Drop the currently processed events log and dont execute further statements. rename_field(string old, string new); description Rename a eld. arguments old type: string new type: string reroute(string routename);
description Move the currently processed event data to the route specied in the argument. The event data will enter the route as if it was received by an input module there. arguments routename type: string add_to_route(string routename); description Copy the currently processed event data to the the route specied in the argument. This procedure makes a copy of the data and the original will be processed normally. arguments routename type: string
5.6.2
xm_syslog Functions and procedures exported by xm_syslog om_le Functions and procedures exported by om_le
Chapter 6
Modules
nxlog uses loadable modules similarly to the Apache HTTP server, these are also called as plugins in another terminology. There are four types of modules: extension, input, processor and output modules. This chapter deals with the features and conguration of each specic module. General concepts about conguring modules were discussed in the Conguration chapter earlier.
6.1
Extension modules
Extension modules do not process log messages directly, and for this reason their instances cannot be part of a route. These modules can enhance the features of nxlog in different ways such as exporting new functions and procedures, registering additional I/O reader and writer functions to be used with modules supporting the OutputType and InputType directives. Also there are many possibilities to hook an extension module into the nxlog engine, the following modules will illustrate this.
6.1.1
CSV (xm_csv)
This module provides functions and procedures to process data formatted as comma separated values (CSV) and allows to convert to CSV and parse CSV into elds. The pm_transformer module also provides a simple interface to parse and generate CSV lines, but with the API this xm_csv module exports to the nxlog language, it is possible to solve a lot more complex tasks involving CSV formatted data.
Note It is possible to use more than one xm_csv module instance with different options in order to support different CSV formats at the same time. For this reason, functions and procedures exported by the module are public and must be referenced by the module instance name.
6.1.1.1
Conguration
In addition to the common module directives, the following can be used to congure the xm_csv module instance. QuoteChar This optional directive takes a single character (see below) as argument to specify the quote character used to enclose elds. If QuoteOptional is TRUE, then only string type elds are quoted. If this directive is not specied, the default quote character is the double-quote character ("). EscapeChar This optional directive takes a single character (see below) as argument to specify the escape character used to escape special characters. The escape character is used to prex the following characters: the escape character itself, the quote character and the delimiter character. If EscapeControl is TRUE, the \n, \r, \t, \b (newline, carriage-return, tab, backspace) control characters are also escaped. If this directive is not specied, the default escape character is the backslash character (\).
Delimiter This optional directive takes a single character (see below) as argument to specify the delimiter character used to separate elds. If this directive is not specied, the default escape character is the comma character (,). Note that there is no delimiter after the last eld. QuoteOptional This directive has been deprecated in favor of QuoteMethod, please use that instead. QuoteMethod This optional directive can take the following values: String Only string type elds will be quoted. Has the same effect as QuoteOptional set to TRUE . This is the default behavior if the QuoteMethod directive is not specied. All All elds will be quoted. None Nothing will be quoted. This can be problematic if the eld value (typically text that can contain any character) can contain the delimiter character. Make sure that this is escaped or replaced with something else. Note that this directive only effects CSV generation when using to_csv(). The CSV parser can automatically detect the quotation. EscapeControl If this optional boolean directive is set to TRUE, control characters are also escaped. See the EscapeChar directive for details. If this directive is not specied, control characters are escaped by default. Note that this is necessary in order to allow single line CSV eld lists which contain line-breaks. Fields This is a comma separated list of elds which will be lled from the input parsed. Field names with or without the dollar sign "$" are also accepted. This directive is mandatory. The elds will be stored as strings by default unless their type is explicitely specied with the FieldTypes directive. FieldTypes This optional directive species the list of types corresponding to the eld names dened in Fields. If specied, the number of types must match the number of eld names specied with Fields. If this directive is omitted, all elds will be stored as strings. This directive has no effect on the elds-to-csv conversion. UndefValue This optional directive species a string which will be treated as an undened value. This is particularly useful when parsing the W3C format where the dash "-" marks an omitted eld.
6.1.1.1.1 Specifying characters for quote, escape and delimiter
The QuoteChar, EscapeChar and Delimiter can be specied in different ways, mainly due to the nature of the cong le format. As of this writing, the module does not support multi character strings for these parameters. Unquoted single character Printable characters can be specied as an unquoted character, except for the backslash \. Example:
Delimiter ;
Control characters The following non-printable characters can be specied with escape sequences: \a audible alert (bell) \b backspace \t horizontal tab \n newline \v vertical tab \f formfeed \r carriage return To use TAB delimiting:
Delimiter \t
A character in single quotes The cong parser strips whitespace, so it is not possible to dene space as the delimiter unless it is enclosed within quotes:
Delimiter
A character in double quotes Double quotes can be used similarly to single quotes:
Delimiter " "
6.1.1.2 6.1.1.2.1
string to_csv(); description Convert the specied elds to a single CSV formatted string. return type string
6.1.1.2.2 Procedures exported by xm_csv
parse_csv(); description Parse the raw_event eld as csv input parse_csv(string source); description Parse the given string as CSV format arguments source type: string to_csv(); description Format the specied elds as CSV and put it into the raw_event eld.
6.1.1.3
Conguration examples
Example 6.1 Complex CSV format conversion This example illustrates the power of nxlog and the xm_csv module. It shows that not only can the module parse and create CSV formatted input and output, but using multiple xm_csv modules it is possible to reorder, add, remove or modify elds and output these in a different CSV format.
<Extension csv1> Module xm_csv Fields $id, $name, $number FieldTypes integer, string, integer Delimiter , </Extension> <Extension csv2> Module xm_csv Fields $id, $number, $name, $date Delimiter ; </Extension> <Input filein> Module im_file File "tmp/input" Exec csv1->parse_csv(); \ $date = now(); \ if not defined $number $number = 0; \ csv2->to_csv(); </Input> <Output fileout> Module om_file File "tmp/output" </Output> <Route 1> Path filein => fileout </Route>
Samples for the input and output les processed by the above cong are shown below.
1, "John K.", 42 2, "Joe F.", 43 1;42;"John K.";2011-01-15 23:45:20 2;43;"Joe F.";2011-01-15 23:45:20
6.1.2
JSON (xm_json)
This module provides functions and procedures to process data formatted as JSON and allows to convert to JSON and parse JSON into elds.
6.1.2.1 Conguration
The module does not have any module specic conguration directives.
6.1.2.2 6.1.2.2.1
string to_json(); description Converts the elds to JSON and returns it as a string value. Fields having a leading dot (.) or underscore (_) and the raw_event will be automatically excluded. return type string
6.1.2.2.2 Procedures exported by xm_json
parse_json(); description Parse the raw_event eld as json input parse_json(string source); description Parse the given string as JSON format arguments source type: string to_json(); description Convert the elds to JSON and put this into the raw_event eld. Fields having a leading dot (.) or underscore (_) and the raw_event will be automatically excluded.
6.1.2.3
Conguration examples
Example 6.2 Syslog to JSON format conversion The following conguration accepts syslog (both legacy and RFC5424) and converts it to JSON.
<Extension syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> <Input in> Module im_tcp Port 1514 Host 0.0.0.0 Exec parse_syslog(); to_json(); </Input> <Output out> Module om_file File "/var/log/json.txt" </Output> <Route r> Path in => out </Route>
Example 6.3 Converting Windows EventLog to Syslog encapsulated JSON The following conguration reads the Windows EventLog and converts it into the legacy syslog format where the message part contains the elds in JSON.
<Extension syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> <Input in> Module Exec </Input> <Output out> Module Host Port </Output>
in => out
6.1.3
XML (xm_xml)
This module provides functions and procedures to process data formatted as Extensible Markup Language (XML) and allows to convert to XML and parse XML into elds.
6.1.3.1 Conguration
The module does not have any module specic conguration directives.
6.1.3.2 6.1.3.2.1 Functions and procedures exported by xm_xml Functions exported by xm_xml
string to_xml(); description Converts the elds to XML and returns it as a string value. Fields having a leading dot (.) or underscore (_) and the raw_event will be automatically excluded. return type string
6.1.3.2.2
parse_xml(); description Parse the raw_event eld as xml input parse_xml(string source); description Parse the given string as XML format arguments source type: string to_xml(); description Convert the elds to XML and put this into the raw_event eld. Fields having a leading dot (.) or underscore (_) and the raw_event will be automatically excluded.
6.1.3.3 Conguration examples
Example 6.4 Syslog to XML format conversion The following conguration accepts Syslog (both legacy and RFC5424) and converts it to XML.
<Extension syslog> Module xm_syslog </Extension> <Extension xml> Module xm_xml </Extension> <Input in> Module im_tcp Port 1514 Host 0.0.0.0 Exec parse_syslog(); to_xml(); </Input> <Output out> Module om_file File "/var/log/log.xml" </Output> <Route r> Path in => out </Route>
Example 6.5 Converting Windows EventLog to Syslog encapsulated XML The following conguration reads the Windows EventLog and converts it into the legacy syslog format where the message part contains the elds in XML.
<Extension syslog> Module xm_syslog </Extension> <Extension xml> Module xm_xml </Extension> <Input in> Module Exec </Input> <Output out> Module Host Port </Output>
in => out
6.1.4
This module provides functions and procedures to process data formatted as key-value pairs (KVPs), also commonly called as name-value pairs. The module can both parse and generate data formatted as key-value pairs. It is quite common to have a different set of keys in each log line in the form of key-value formatted messages. Extracting values from such logs using regular expressions can be quite cumbersome. The xm_kvp extension module solves this problem by automating this process. Log messages containing key-value pairs typically look like the following:
key1: value1, key2: value2, key42: value42 key1="value 1"; key2="value 2" Application=smtp, Event=Protocol Conversation, status=Client Request, ClientRequest=  HELO 1.2.3.4
I.e. keys are usually separated from the value using an equal sign (=) or the colon (:) and the key-value pairs are delimited with a comma (,), semicolon (;) or space. In addition, values and keys may be quoted and can contain escaping. The module will try to guess the format or this can be explicitly specied using the conguration directives listed below.
Note It is possible to use more than one xm_kvp module instance with different options in order to support different KVP formats at the same time. For this reason, functions and procedures exported by the module are public and must be referenced by the module instance name.
6.1.4.1
Conguration
In addition to the common module directives, the following can be used to congure the xm_kvp module instance. KeyQuoteChar This optional directive takes a single character (see below) as argument to specify the quote character used to enclose key names. If this directive is not specied, the module will accept keys quoted in single and double quotes in addition to unquoted keys. ValueQuoteChar This optional directive takes a single character (see below) as argument to specify the quote character used to enclose values. If this directive is not specied, the module will accept keys quoted in single and double quotes in addition to unquoted values. Normally, but not neccessarily, quotation is used when the value contains space and or the KVDelimiter character. EscapeChar This optional directive takes a single character (see below) as argument to specify the escape character used to escape special characters. The escape character is used to prex the following characters: the EscapeChar itself and the KeyQuoteChar or the ValueQuoteChar. If EscapeControl is TRUE, the \n, \r, \t, \b (newline, carriage-return, tab, backspace) control characters are also escaped. If this directive is not specied, the default escape character is the backslash character (\). KVDelimiter This optional directive takes a single character (see below) as argument to specify the delimiter character used to separate the key from the value. If this directive is not specied, the module will try to guess the delimiter used which can be either a colon (:) or the equal-sign (=). KVPDelimiter This optional directive takes a single character (see below) as argument to specify the delimiter character used to separate the key-value pairs. If this directive is not specied, the module will try to guess the delimiter used which can be either a comma (,) semicolon (;) or the space. EscapeControl If this optional boolean directive is set to TRUE, control characters are also escaped. See the EscapeChar directive for details. If this directive is not specied, control characters are escaped by default. Note that this is necessary in order to allow single line KVP eld lists which contain line-breaks.
6.1.4.1.1 Specifying characters for quote, escape and delimiter
The ValueQuoteChar, KeyQuoteChar, EscapeChar, KVDelimiter and KVPDelimiter can be specied in different ways, mainly due to the nature of the cong le format. As of this writing, the module does not support multi character strings for these parameters. Unquoted single character Printable characters can be specied as an unquoted character, except for the backslash \. Example:
Delimiter ;
Control characters The following non-printable characters can be specied with escape sequences: \a audible alert (bell) \b backspace \t horizontal tab \n newline \v vertical tab \f formfeed
A character in single quotes The cong parser strips whitespace, so it is not possible to dene space as the delimiter unless it is enclosed within quotes:
KVPDelimiter  
A character in double quotes Double quotes can be used similarly to single quotes:
KVPDelimiter " "
6.1.4.2 6.1.4.2.1
string to_kvp(); description Convert the internal elds to a single KVP formatted string. return type string
6.1.4.2.2 Procedures exported by xm_kvp
parse_kvp(); description Parse the raw_event eld as key-value pairs and populate the internal elds using the key names. parse_kvp(string source); description Parse the given string key-value pairs and populate the internal elds using the key names. arguments source type: string to_kvp(); description Format the internal elds as KVP and put this into the raw_event eld. reset_kvp(); description Reset the kvp parser so that the autodetected KeyQuoteChar, ValueQouteChar, KVDelimiter and KVPDelimiter characters can be detected again.
6.1.4.3
Conguration examples
The following examples show various use-cases for parsing KVPs either embedded in another encapsulating format (e.g. syslog) or simply on their own. To do something with the logs we convert these to JSON , though obviously there are dozens of other options. These examples use les for input and output, this can be also changed to use UDP syslog or some other protocol.
Example 6.6 Simple KVP parsing The following two lines of input illustrate a simple KVP format where each line consists of various keys and values assigned to them.
Name=John, Age=42, Weight=84, Height=142 Name=Mike, Weight=64, Age=24, Pet=dog, Height=172
To process this input we use the following conguration that will ignore lines starting with a hash (#) and parses others as key value pairs. The parsed elds can be used in nxlog expressions. In this example we insert a new eld named $Overweight and set its value to TRUE if the conditions are met. Finally a few automatically added elds are removed and the log is then converted to JSON.
<Extension kvp> Module KVPDelimiter KVDelimiter EscapeChar </Extension> xm_kvp , = \\
<Extension json> Module xm_json </Extension> <Input in> Module File SavePos ReadFromLast Exec
im_file "modules/extension/kvp/xm_kvp5.in" FALSE FALSE if $raw_event =~ /^#/ drop(); \ else \ { \ kvp->parse_kvp(); \ delete($EventReceivedTime); \ delete($SourceModuleName); \ delete($SourceModuleType); \ if ( integer($Weight) > integer($Height) - 100 ) $Overweight = TRUE; \ to_json();\ }
</Input> <Output out> Module File </Output> <Route 1> Path </Route>
om_file tmp/output
in => out
Example 6.7 Parsing KVPs in Cisco ACS syslog The following line is from a Cisco ACS source:
<38>Oct 16 21:01:29 10.0.1.1 CisACS_02_FailedAuth 1k1fg93nk 1 0 Message-Type=Authen failed,  User-Name=John,NAS-IP-Address=10.0.1.2,AAA Server=acs01 <38>Oct 16 21:01:31 10.0.1.1 CisACS_02_FailedAuth 2k1fg63nk 1 0 Message-Type=Authen failed,  User-Name=Foo,NAS-IP-Address=10.0.1.2,AAA Server=acs01
The format is syslog which contains a set of values present in each record such as the category name and an additional set of KVPs. The following conguration can be used to process this and convert it to JSON:
include common.conf <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Extension kvp> Module xm_kvp KVDelimiter = KVPDelimiter , </Extension> <Input in> Module im_file SavePos FALSE ReadFromLast FALSE File "modules/extension/kvp/cisco_acs.in" Exec parse_syslog_bsd(); Exec if ( $Message =~ /^CisACS_(\d\d)_(\S+) (\S+) (\d+) (\d+) (.*)$/ ) \ { \ $ACSCategoryNumber = $1; \ $ACSCategoryName = $2; \ $ACSMessageId = $3; \ $ACSTotalSegments = $4; \ $ACSSegmentNumber = $5; \ $Message = $6; \ kvp->parse_kvp($Message); \ } \ else log_warning("does not match: " + to_json()); </Input> <Output out> Module om_file File "tmp/output" Exec delete($EventReceivedTime); Exec to_json(); </Output> <Route 1> Path in => out </Route>
Example 6.8 Parsing KVPs in Sidewinder logs The following line is from a Sidewinder log source:
date="May 5 14:34:40 2009 MDT",fac=f_mail_filter,area=a_kmvfilter,type=t_mimevirus_reject,  pri=p_major,pid=10174,ruid=0,euid=0,pgid=10174,logid=0,cmd=kmvfilter,domain=MMF1,edomain  =MMF1,message_id=(null),srcip=66.74.184.9,mail_sender=<habuzeid6@...>,virus_name=W32/  Netsky.c@MM!zip,reason="Message scan detected a Virus in msg Unknown, message being  Discarded, and not quarantined"
This can be parsed and converted to JSON with the following conguration:
<Extension kvp> Module xm_kvp KVPDelimiter , KVDelimiter = EscapeChar \\ ValueQouteChar " </Extension> <Extension json> Module xm_json </Extension> <Input in> Module im_file File "modules/extension/kvp/sidewinder.in" SavePos FALSE ReadFromLast FALSE Exec kvp->parse_kvp(); delete($EventReceivedTime); to_json(); </Input> <Output out> Module om_file File tmp/output </Output> <Route 1> Path in => out </Route>
Example 6.9 Parsing URL request parameters in Apache access logs URLs in HTTP requests frequently contain URL parameters which are a special kind of key-value pairs delimited by the ampersand (&). Here is an example of two HTTP requests logged by the Apache web server in the Combined Log Format:
192.168.1.1 - foo [11/Jun/2013:15:44:34 +0200] "GET /do?action=view&obj_id=2 HTTP/1.1" 200  1514 "https://localhost" "Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Firefox  /17.0" 192.168.1.1 - - [11/Jun/2013:15:44:44 +0200] "GET /do?action=delete&obj_id=42 HTTP/1.1" 401  788 "https://localhost" "Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Firefox  /17.0"
The following conguration le parses the access log and extracts all the elds. In this case the request parameters are extracted into the HTTPParams eld using a regular expression. This eld is then further parsed using the KVP parser. At the end of the processing all elds are converted to the KVP format using the to_kvp() procedure of the kvp2 instance.
<Extension kvp> Module xm_kvp KVPDelimiter & KVDelimiter = </Extension> <Extension kvp2> Module xm_kvp KVPDelimiter ; KVDelimiter = </Extension> <Input in> Module im_file File "modules/extension/kvp/apache_url.in" SavePos FALSE ReadFromLast FALSE Exec if $raw_event =~ /^(\S+) (\S+) (\S+) \[([^\]]+)\] \"(\S+) (.+) HTTP.\d\.\d\" (\  d+) (\d+) \"([^\"]+)\" \"([^\"]+)\"/\ { \ $Hostname = $1; \ if $3 != - $AccountName = $3; \ $EventTime = parsedate($4); \ $HTTPMethod = $5; \ $HTTPURL = $6; \ $HTTPResponseStatus = $7; \ $FileSize = $8; \ $HTTPReferer = $9; \ $HTTPUserAgent = $10; \ if $HTTPURL =~ /\?(.+)/ { $HTTPParams = $1; } \ kvp->parse_kvp($HTTPParams); \ delete($EventReceivedTime); \ kvp2->to_kvp(); \ } </Input> <Output out> Module om_file File tmp/output </Output> <Route 1> Path in => out </Route>
The two request parameters action and obj_id then appear at the end of the KVP formated lines.
SourceModuleName=in;SourceModuleType=im_file;Hostname=192.168.1.1;AccountName=foo;EventTime  =2013-06-11 15:44:34;HTTPMethod=GET;HTTPURL=/do?action=view&obj_id=2;HTTPResponseStatus  =200;FileSize=1514;HTTPReferer=https://localhost;HTTPUserAgent=Mozilla/5.0 (X11; Linux  x86_64; rv:17.0) Gecko/17.0 Firefox/17.0;HTTPParams=action=view&obj_id=2;action=view;  obj_id=2; SourceModuleName=in;SourceModuleType=im_file;Hostname=192.168.1.1;EventTime=2013-06-11 
6.1.5
GELF (xm_gelf)
This module provides an output writer function which can be used to generate output in Graylog Extended Log Format (GELF) and feed that into Graylog2 or GELF compliant tools. The advantage of using this module over syslog (e.g. Snare Agent and others) is that the GELF format contains structured data in JSON and makes the elds available to analysis. This is especially convenient with sources such as the Windows EventLog which already generate logs in a structured format. The GELF output generated by this module includes all elds, except the following: The raw_event eld. Fields starting with a leading dot (.). Fields starting with a leading underscore (_). In order to make nxlog output GELF formatted data, the following needs to be done: 1. Make sure the xm_gelf module is loaded:
<Extension gelf> Module xm_gelf </Extension>
6.1.5.1
Conguration
The module does not have any module specic conguration directives.
6.1.5.2 Conguration examples
Example 6.10 Sending Windows EventLog to Graylog2 in GELF The following conguration reads the Windows EventLog and sends it to the Graylog2 server in GELF format.
<Extension gelf> Module xm_gelf </Extension> <Input in> # Use im_mseventlog for Windows XP and 2003 Module im_msvistalog </Input> <Output out> Module Host Port OutputType </Output> <Route r> Path </Route>
in => out
Example 6.11 Parsing a CSV le and sending it to Graylog2 in GELF Using the following cong le nxlog will read a CSV le containing 3 elds and forwards it in GELF so that the elds will be available on the server.
<Extension gelf> Module xm_gelf </Extension> <Extension csv> Module xm_csv Fields $name, $number, $location FieldTypes string, integer, string Delimiter , </Extension> <Input in> Module im_file File "/var/log/app/csv.log" </Input> <Output out> Module om_udp Host 192.168.1.1 Port 12201 OutputType GELF </Output> <Route r> Path in => out </Route>
6.1.6
This module provides functions and procedures to convert strings between different character sets (codepages). Reasons for the existence of this module are outlined in the Character set and i18n support section. The convert_elds() procedure and the convert() function supports all encodings available to iconv. See iconv -l for a list of encoding names.
6.1.6.1 Conguration
In addition to the common module directives, the following can be used to congure the xm_charconv module instance. AutodetectCharsets This optional directive takes a comma separated list of character set names. When auto is specied as the source encoding for convert() or convert_elds(), these charsets will be tried for conversion.
6.1.6.2 6.1.6.2.1 Functions and procedures exported by xm_charconv Functions exported by xm_charconv
string convert(string source, string srcencoding, string dstencoding); description This function converts the source string to the encoding specied in dstencoding from srcencoding. srcencoding can be auto to request auto detection. arguments source type: string
convert_fields(string srcencoding, string dstencoding); description Convert all string type elds of a log message from srcencoding to dstencoding. srcencoding can be "auto" to request auto detection. arguments srcencoding type: string dstencoding type: string
6.1.6.3 Conguration examples
This conguration shows an example of character set autodetection. The input le can contain differently encoded lines and using autodetection the module normalizes output to utf-8. Example 6.12 Character set autodetection of various input encodings
<Extension charconv> Module xm_charconv AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2 </Extension> <Input filein> Module im_file File "tmp/input" Exec convert_fields("AUTO", "utf-8"); </Input> <Output fileout> Module om_file File "tmp/output" </Output> <Route 1> Path filein => fileout </Route>
6.1.7
This module provides functions and procedures to manipulate les. Coupled with a Schedule block, this allows to implement various log rotation and retention policies, e.g.:  log le retention based on le size,  log le retention based on le age,  cyclic log le rotation and retention.
Note Rotating, renaming or removing the le written by om_le is also supported with the help of the reopen procedure.
6.1.7.1
Conguration
The module does not have any module specic conguration directives.
6.1.7.2 6.1.7.2.1 Functions and procedures exported by xm_leop Functions exported by xm_leop
string file_read(string file); description Return the contents of the le as a string value. On error undef is returned and an error is logged. arguments le type: string return type string boolean file_exists(string file); description Return TRUE if the le exists and is a regular le. arguments le type: string return type boolean string file_basename(string file); description Strip the directory name from the full le path. basename(/var/log/app.log) will return app.log. arguments le type: string return type string string file_dirname(string file); description Return the directory name of the full le le path. basename(/var/log/app.log) will return /var/log. Returns an empty string if le does not contain any directory separators. arguments le type: string return type string datetime file_mtime(string file); description Return the last modication time of the le. On error undef is returned and an error is logged. arguments le type: string return type datetime datetime file_ctime(string file); description Return the creation or inode-changed time of the le. On error undef is returned and an error is logged. arguments le type: string return type datetime string file_type(string file); description Return the type of the le. The following string values can be returned: FILE, DIR, CHAR, BLOCK, PIPE, LINK, SOCKET, UNKNOWN. On error undef is returned and an error is logged.
arguments le type: string return type string integer file_size(string file); description Return the size of the le. On error undef is returned and an error is logged. arguments le type: string return type integer integer file_inode(string file); description Return the inode number of the le. On error undef is returned and an error is logged. arguments le type: string return type integer string dir_temp_get(); description Return the name of a directory suitable as a temporary storage location. return type string boolean dir_exists(string path); description Return TRUE if the path exists and is a directory. On error undef is returned and an error is logged. arguments path type: string return type boolean
6.1.7.2.2 Procedures exported by xm_leop
file_cycle(string file); description Do a cyclic rotation on le. le will be moved to "le.1". If "le.1" already exists it will be moved to "le.2" and so on. This procedure will reopen the LogFile if this is cycled. An error is logged if the operation fails. arguments le type: string file_cycle(string file, integer max); description Do a cyclic rotation on le. le will be moved to "le.1". If "le.1" already exists it will be moved to "le.2" and so on. max species the maximum number of les to keep. E.g. if max is 5, "le.6" will be deleted. This procedure will reopen the LogFile if this is cycled. An error is logged if the operation fails. arguments le type: string max type: integer file_rename(string old, string new); description Rename the le old to new. If the le new exists, it will be overwritten. Moving les or directories across devices may not be possible. This procedure will reopen the LogFile if this is renamed. An error is logged if the operation fails. arguments old type: string
new type: string file_copy(string src, string dst); description Copy the le src to dst. If le dst already exists, its contents will be overwritten. An error is logged if the operation fails. arguments src type: string dst type: string file_remove(string file); description Remove the le le. It is possible to specify a wildcard in lenames (but not in the path). If you use backslash as the directory separator with wildcards, make sure to escape this (e.g. C:\\test\\*.log). This procedure will reopen the LogFile if this is removed. An error is logged if the operation fails. arguments le type: string file_remove(string file, datetime older); description Remove the le le if its creation time is older than the value specied in older. It is possible to specify a wildcard in lenames (but not in the path). If you use backslash as the directory separator with wildcards, make sure to escape this (e.g. C:\\test\\*.log). This procedure will reopen the LogFile if this is removed. An error is logged if the operation fails. arguments le type: string older type: datetime file_link(string src, string dst); description Create a hardlink from src to dst. An error is logged if the operation fails. arguments src type: string dst type: string file_append(string src, string dst); description Append the contents of the le src to dst. dst will be created if it does not exist. An error is logged if the operation fails. arguments src type: string dst type: string file_write(string file, string value); description Write value into le. le will be created if it does not exist. An error is logged if the operation fails. arguments le type: string value type: string file_truncate(string file); description Truncate the le to zero length. If le does not exist, it will be created. An error is logged if the operation fails. arguments le type: string
file_truncate(string file, integer offset); description Truncate the le to the size specied in offset. If le does not exist, it will be created. An error is logged if the operation fails. arguments le type: string offset type: integer file_chown(string file, integer uid, integer gid); description Change le ownership. This function is only implemented on POSIX systems where chown() is available in the underlying OS. An error is logged if the operation fails. arguments le type: string uid type: integer gid type: integer file_chmod(string file, integer mode); description Change le permission. This function is only implemented on POSIX systems where chmod() is available in the underlying OS. An error is logged if the operation fails. arguments le type: string mode type: integer file_touch(string file); description Update the last modication time of le or create it if le does not exist. An error is logged if the operation fails. arguments le type: string dir_make(string path); description Create a directory recursively (i.e. as mkdir -p). It succeeds if the directory already exists. An error is logged if the operation fails. arguments path type: string dir_remove(string file); description Remove the directory from the lesystem. arguments le type: string
6.1.7.3
Conguration examples
Example 6.13 Rotation of the internal LogFile This example shows how to rotate the internal logle based on time and size.
#define LOGFILE C:\Program Files\nxlog\data\nxlog.log define LOGFILE /var/log/nxlog/nxlog.log <Extension fileop> Module xm_fileop # Check the size of our log file every hour and rotate if it is larger than 1Mb <Schedule> Every 1 hour Exec if (file_size(%LOGFILE%) >= 1M) file_cycle(%LOGFILE%, 2); </Schedule> # Rotate our log file every week on sunday at midnight <Schedule> When @weekly Exec file_cycle(%LOGFILE%, 2); </Schedule> </Extension>
6.1.8
Multi-line messages such as exception logs and stack traces are quite common in logs. Unfortunately when the log messages are stored in les or forwarded over the network without any encapsulation, the newline character present in messages spanning multiple lines confuse simple linebased parsers which treat every line as a separate event. Multi-line events have one or more of the following properties:  The rst line has a header (e.g. timestamp + severity).  The rst line has a header and there is closing character sequence marking the end.  The line cont in the message can be variable (one or more) or the message can have a xed line count. This information allows the message to be reconstructed, i.e. lines to be concatenated which belong to a single event. This is how the xm_multiline module can join together multiple lines into a single message. The name of the xm_multiline module instance can be used by input modules as the input reader specied with the InputType directive. For each input source a separate context is maintained by the module so that multi-line messages coming from several simultaneous sources can be still correctly processed. An input source is a le for im_le (with wildcards it is one source for each le), a connection for im_ssl and im_tcp. Unfortunately im_udp uses a single socket and is treated as a single source even if multiple UDP (e.g. syslog) senders are forwarding logs to it.
Note By using module variables it is possible to accomplish the same what this module does. The advantages of using this module over module variables are the following:  Processes messages more efciently.  It yields a more readable conguration.  Module event counters are correctly updated (i.e. one increment for one multi-line message and not per line).  It works on message source level (each le for a wildcarded im_le module instance and each tcp connection for an im_tcp/im_ssl instance) and not on module instance level.
6.1.8.1
Conguration
The following directives can be used to congure the xm_multiline module instance: HeaderLine This directive takes a string or a regular expression literal. This will be matched against each line. When the match is successful, the successive lines are appended until the next header line is read. This directive is mandatory unless FixedLineCount is used.
Note Until there is a new header read, the previous message is stored in the buffers because the module does not know where the message ends. If there is no new message, the last may sit in the buffers indenitly. It may be possible to ush the buffers using a timer or on EOF, unfortunately these solutions are not perfect either (though these may be implemented in a later version). If this behaviour is unacceptable, consider using some kind of an encapsulation method (JSON, XML, RFC5425, etc) or use and end marker with EndLine if possible.
EndLine This is similar to the HeaderLine directive. This optional directive also takes a string or a regular expression literal to be matched against each line. When the match is successful the message is considered complete and is emitted. FixedLineCount This directive takes a positive integer number dening the number of lines to concatenate. This is mostly useful with log messages spanning a xed number of lines. When this number is dened, the module knows where the event message ends, thus it does not suffer from the problem described above. Exec This directive is almost identical to the behavior of the Exec directive used by the other modules with the following differences: Each line is passed in $raw_event as it is read. The line includes the line terminator. Other elds cannot be used. If you want to store captured strings from regular expression based matching in elds, you cannot do it here. This is mostly useful for ltering out some lines with the drop() procedure or rewriting them.
6.1.8.2
Conguration examples
Example 6.14 Parsing DICOM logs Each log message has a header (TIMESTAMP INTEGER SEVERITY) which is used as the message boundary. A regular expression is dened for this using the HeaderLine directive. Each log message is prepended with an additional line containing dashes and is output into a le.
<Extension dicom-multi> Module xm_multiline HeaderLine /^\d\d\d\d-\d\d-\d\d\d\d:\d\d:\d\d\.\d+\s+\d+\s+\S+\s+/ </Extension> <Input in> Module im_file File "modules/extension/multiline/xm_multiline4.in" SavePos FALSE ReadFromLast FALSE InputType dicom-multi </Input> <Output out> Module om_file File tmp/output Exec $raw_event = "--------------------------------------\n" + $raw_event; </Output> <Route 1> Path in => out </Route>
An input sample:
2011-12-1512:22:51.000000 4296 INFO Association Request Parameteres: Our Implementation Class UID: 2.16.124.113543.6021.2 Our Implementation Version Name: RZDCX_2_0_1_8 Their Implementation Class UID: Their Implementation Version Name: Application Context Name: 1.2.840.10008.3.1.1.1 Requested Extended Negotiation: none Accepted Extended Negotiation: none 2011-12-1512:22:51.000000 4296 DEBUG Constructing Associate RQ PDU 2011-12-1512:22:51.000000 4296 DEBUG WriteToConnection, length: 310, bytes written:  310, loop no: 1 2011-12-1512:22:51.015000 4296 DEBUG PDU Type: Associate Accept, PDU Length: 216 + 6  bytes PDU header 02 00 00 00 00 d8 00 01 00 00 50 41 43 53 20 20 20 20 20 20 20 20 20 20 20 20 52 5a 44 43 58 20 20 20 20 20 20 20 20 20 20 20 00 00 00 00 00 00 2011-12-1512:22:51.031000 4296 DEBUG DIMSE sendDcmDataset: sending 146 bytes
Example 6.15 Multi-line messages with a xed string header The following conguration will process messages having a xed string header containing dashes. Each event is then prepended with a sharp (#) and is output to a le.
<Extension multiline> Module xm_multiline HeaderLine "---------------" </Extension> <Input in> Module im_file File "modules/extension/multiline/xm_multiline1.in" SavePos FALSE ReadFromLast FALSE InputType multiline Exec $raw_event = "#" + $raw_event; </Input> <Output out> Module om_file File tmp/output </Output> <Route 1> Path in => out </Route>
An input sample:
--------------1 --------------1 2 --------------aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb ccccccccccccccccccccccccccccccccccccc dddd ---------------
Example 6.16 Multi-line messages with xed line count The following conguration will process messages having a xed line count of 4. Lines containing only whitespace are ignored and removed. Each event is then prepended with a sharp (#) and is output to a le.
<Extension multiline> Module xm_multiline FixedLineCount 4 Exec if $raw_event =~ /^\s*$/ drop(); </Extension> <Input in> Module im_file File "modules/extension/multiline/xm_multiline2.in" SavePos FALSE ReadFromLast FALSE InputType multiline </Input> <Output out> Module om_file File tmp/output Exec $raw_event = "#" + $raw_event; </Output> <Route 1> Path in => out </Route>
An input sample:
1 2 3 4 1asd 2asdassad 3ewrwerew 4xcbccvbc 1dsfsdfsd 2sfsdfsdrewrwe 3sdfsdfsew 4werwerwrwe
Example 6.17 Multi-line messages with a syslog header Multi-line messages are frequently logged over syslog and they end up in log les. Unfortunately from the result it looks that each line is one event with its own syslog header. It can be a common requirement to merge these back into a single event message. The following conguration does just that. It strips the syslog header from the netstat output stored as a traditional syslog formatted le and each message is then printed again with a line of dashes used as a separator.
<Extension syslog> Module xm_syslog </Extension> <Extension netstat> Module xm_multiline FixedLineCount 4 Exec parse_syslog_bsd(); $raw_event = $Message + "\n"; </Extension> <Input in> Module im_file File "modules/extension/multiline/xm_multiline3.in" SavePos FALSE ReadFromLast FALSE InputType netstat </Input> <Output out> Module om_file File tmp/output Exec $raw_event =  "------------------------------------------------------------------------------------\  n" + $raw_event; </Output> <Route 1> Path in => out </Route>
An input sample:
Nov 21 11:40:27 hostname TX-ERR TX-DRP TX-OVR Nov 21 11:40:27 hostname 30486067 0 Nov 21 11:40:27 hostname 277217234 0 Nov 21 11:40:27 hostname 368642 0 0 Nov 21 11:40:28 hostname TX-ERR TX-DRP TX-OVR Nov 21 11:40:28 hostname 30493583 0 Nov 21 11:40:28 hostname 277217234 0 Nov 21 11:40:28 hostname 368642 0 0 Nov 21 11:40:29 hostname TX-ERR TX-DRP TX-OVR Nov 21 11:40:29 hostname 30493735 0 Nov 21 11:40:29 hostname 277217234 0 Nov 21 11:40:29 hostname 368642 0 0 app[26459]: Iface Flg app[26459]: eth2 8 0 BMRU app[26459]: lo 0 0 LRU app[26459]: tun0 0 MOPRU app[26459]: Iface Flg app[26459]: eth2 8 0 BMRU app[26459]: lo 0 0 LRU app[26459]: tun0 0 MOPRU app[26459]: Iface Flg app[26459]: eth2 8 0 BMRU app[26459]: lo 0 0 LRU app[26459]: tun0 0 MOPRU MTU Met 1500 0 16436 0 1500 0 MTU Met 1500 0 16436 0 1500 0 MTU Met 1500 0 16436 0 1500 0 RX-OK RX-ERR RX-DRP RX-OVR 16936814 277217234 316943 0 0 0 0 0 0 0 0 0 TX-OK    TX-OK    TX-OK      
6.1.9
Syslog (xm_syslog)
This module provides support for the archaic BSD Syslog protocol as dened in RFC 3164 and the current IETF standard dened by RFC 5424-5426. This is achieved by exporting functions and procedures usable from the nxlog language. The transport is handled by the respective input and output modules (i.e. im_udp), this module only provides a parser and helper functions to create syslog messages and handle facility and severity values. The older but still widespread BSD syslog standard denes both the format and the transport protocol in RFC 3164. The transport protocol is UDP, but to provide reliability and security, this line based format is also commonly transferred over TCP and SSL. There is a newer standard dened in RFC 5424 also known as the IETF syslog format which obsolotes the BSD syslog format. This format overcomes most of the limitations of the old BSD syslog and allows multi-line messages and proper timestamps. The transport method is dened in RFC 5426 for UDP and RFC 5425 for TLS/SSL. Because the IETF Syslog format supports multi-line messages, RFC 5425 denes a special format to encapsulate these by prepending the payload size in ASCII to the IETF syslog message. Messages tranferred in UDP packets are self-contained and do not need this additional framing. The following input reader and output writer functions are provided by the xm_syslog module to support this TLS transport dened in RFC 5425. While RFC 5425 explicitly denes that the TLS network transport protocol is to be used, pure TCP may be used if security is not a requirement. Syslog messages can be also persisted to les with this framing format using these functions. InputType Syslog_TLS This input reader function parses the payload size and then reads the message according to this value. It is required to support Syslog TLS transport dened in RFC 5425. OutputType Syslog_TLS This output writer function prepends the payload size to the message. It is required to support Syslog TLS transport dened in RFC 5425.
Note The Syslog_TLS InputType/OutputType can work with any input/output such as im_tcp or im_le and it does not depend on SSL transport at all. The name Syslog_TLS is a little misleading, it was chosen to refer to the octet-framing method described in RFC 5425 used for TLS transport.
Note The pm_transformer module can also parse and create BSD and IETF syslog messages but using the functions and procedures provided by this module makes it possible to solve more complex tasks which pm_transformer is not capable of on its own.
Structured data in IETF syslog messages is parsed and put into nxlog elds. The SD-ID will be prepended to the eld name with a dot unless it is NXLOG@XXXX. Consider the following syslog message:
<30>1 2011-12-04T21:16:10.000000+02:00 host app procid msgid [exampleSDID@32473 eventSource  ="Application" eventID="1011"] Message part
After this IETF formatted syslog message is parsed with parse_syslog_ietf(), there will be two additional elds: $exampleSDID.eventID and $exampleSDID.eventSource. When SD-ID is NXLOG, the eld name will be the same as the SD-PARAM name. The two additional elds extracted from the structured data part of the following IETF syslog message are $eventID and $eventSource:
<30>1 2011-12-04T21:16:10.000000+02:00 host app procid msgid [NXLOG@32473 eventSource="  Application" eventID="1011"] Message part
All elds parsed from the structured data part are strings.
6.1.9.1 Conguration
In addition to the common module directives, the following can be used to congure the xm_syslog module instance.
SnareDelimiter This optional directive takes a single character as argument to specify the delimiter character used to separate elds when using the to_syslog_snare() procedure. The character specication works the same way as with the xm_csv module. If this directive is not specied, the default escape character is the tab character (\t). In latter versions of Snare4 this has changed to #, so you can use this conguration directive to specify an alternative delimiter. Note that there is no delimiter after the last eld. SnareReplacement This optional directive takes a single character as argument to specify the replacement character substituted in place of any occurences of the delimiter character inside the $Message eld when invoking the to_syslog_snare() procedure. The character specication works the same way as with the xm_csv module. If this directive is not specied, the default replacement character is space. IETFTimestampInGMT This optional boolean directive can be used to format the timestamps produced by to_syslog_ietf() in GMT instead of local time. This defaults to FALSE so that local time is used by default with a timezone indicator.
6.1.9.2 6.1.9.2.1 Functions and procedures exported by xm_syslog Functions exported by xm_syslog
integer syslog_facility_value(string arg); description Convert a syslog facility string to an integer arguments arg type: string return type integer string syslog_facility_string(integer arg); description Convert a syslog facility value to a string arguments arg type: integer return type string integer syslog_severity_value(string arg); description Convert a syslog severity string to an integer arguments arg type: string return type integer string syslog_severity_string(integer arg); description Convert a syslog severity value to a string arguments arg type: integer return type string
6.1.9.2.2 Procedures exported by xm_syslog
parse_syslog(); description Parse the raw_event eld as either BSD Syslog (RFC3164) or IETF Syslog (RFC5424) format parse_syslog(string source); description Parse the given string as either BSD Syslog (RFC3164) or IETF Syslog (RFC5424) format
arguments source type: string parse_syslog_bsd(); description Parse the raw_event eld as BSD Syslog (RFC3164) format parse_syslog_bsd(string source); description Parse the given string as BSD Syslog (RFC3164) format arguments source type: string parse_syslog_ietf(); description Parse the raw_event eld as IETF Syslog (RFC5424) format parse_syslog_ietf(string source); description Parse the given string as IETF Syslog (RFC5424) format arguments source type: string to_syslog_bsd(); description Create a BSD Syslog formatted log message in $raw_event from the elds of the event. The elds that are used to construct the $raw_event eld are $EventTime, $Hostname, $SourceName, $ProcessID, $Message, $SyslogSeverity or $SyslogSeverityValue or $Severity or $SeverityValue, $SyslogFacility or $SyslogFacilityValue. to_syslog_ietf(); description Create an IETF Syslog (RFC5424) formatted log message in $raw_event from the elds of the event. The elds that are used to construct the $raw_event eld are $EventTime, $Hostname, $SourceName, $ProcessID, $Message, $SyslogSeverity or $SyslogSeverityValue or $Severity or $SeverityValue, $SyslogFacility or $SyslogFacilityValue. to_syslog_snare(); description Create a SNARE Syslog formatted log message in $raw_event. Uses the following elds to construct $raw_event: $EventTime, $Hostname, $SeverityValue, $FileName, $EventID, $SourceName, $AccountName, $AccountType, $EventType, $Category, $Message.
6.1.9.3 Fields generated by xm_syslog
The following elds are set by xm_syslog: $raw_event Type string Will be set to a syslog formatted string after to_syslog_bsd() or to_syslog_ietf() is called. $Message Type string The message part of the syslog line, lled after parse_syslog_bsd() or parse_syslog_ietf() is called. $SyslogSeverityValue Type integer The severity part of the syslog line, lled after parse_syslog_bsd() or parse_syslog_ietf() is called. The default severity is 5 (="notice"). $SyslogSeverity Type string The severity part of the syslog line, lled after parse_syslog_bsd() or parse_syslog_ietf() is called. The default severity is "notice".
$SeverityValue Type integer Normalized severity number of the event. $Severity Type string Normalized severity name of the event. $SyslogFacilityValue Type integer The facility part of the syslog line, lled after parse_syslog_bsd() or parse_syslog_ietf() is called. The default facility is 1 (="user"). $SyslogFacility Type string The facility part of the syslog line, lled after parse_syslog_bsd() or parse_syslog_ietf() is called. The default facility is "user". $EventTime Type datetime Will be set to the timestamp found in the syslog message after parse_syslog_bsd() or parse_syslog_ietf() is called. If the year value is missing, it is set to the current year. $Hostname Type string The hostname part of the syslog line, lled after parse_syslog_bsd() or parse_syslog_ietf() is called. $SourceName Type string The application/program part of the syslog line, lled after parse_syslog_bsd() or parse_syslog_ietf() is called. $MessageID Type string The MSGID part of the syslog message, lled after parse_syslog_ietf() is called. $ProcessID Type string The process id in the syslog line, lled after parse_syslog_bsd() or parse_syslog_ietf() is called.
6.1.9.4 Conguration examples
Example 6.18 Collecting BSD style syslog messages over UDP To collect BSD style syslog messages over UDP, use the parse_syslog_bsd() procedure coupled with the im_udp module as in the following example.
<Extension syslog> Module xm_syslog </Extension> <Input in> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog_bsd(); </Input> <Output out> Module om_file File "/var/log/logmsg.txt" </Output> <Route 1> Path in => out </Route>
Example 6.19 Collecting IETF style syslog messages over UDP To collect IETF style syslog messages over UDP as dened by RFC 5424 and RFC 5426, use the parse_syslog_ietf() procedure coupled with the im_udp module as in the following example. Note that the default port is 514 (as dened by RFC 5426), this is the same as for BSD syslog.
<Extension syslog> Module xm_syslog </Extension> <Input in> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog_ietf(); </Input> <Output out> Module om_file File "/var/log/logmsg.txt" </Output> <Route 1> Path in => out </Route>
Example 6.20 Collecting both IETF and BSD style syslog messages over the same UDP port To collect IETF and BSD style syslog messages over UDP, use the parse_syslog() procedure coupled with the im_udp module as in the following example. This procedure is capable of detecting and parsing both syslog formats. Since 514 is the default UDP port number for both BSD and IETF syslog, this can be useful to collect both formats simultaneously. If you want to accept both formats on different ports then it makes sense to use the appropriate parsers as in the previous two examples.
<Extension syslog> Module xm_syslog </Extension> <Input in> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog(); </Input> <Output out> Module om_file File "/var/log/logmsg.txt" </Output> <Route 1> Path in => out </Route>
Example 6.21 Collecting IETF style syslog messages over TLS/SSL To collect IETF style syslog messages over TLS/SSL as dened by RFC 5424 and RFC 5425, use the parse_syslog_ietf() procedure coupled with the im_ssl module as in the following example. Note that the default port is 6514 in this case (as dened by RFC 5425). The payload format parser is handled by the Syslog_TLS input reader.
<Extension syslog> Module xm_syslog </Extension> <Input in> Module im_ssl Host localhost Port 6514 CAFile %CERTDIR%/ca.pem CertFile %CERTDIR%/client-cert.pem CertKeyFile %CERTDIR%/client-key.pem KeyPass secret InputType Syslog_TLS Exec parse_syslog_ietf(); </Input> <Output out> Module om_file File "/var/log/logmsg.txt" </Output> <Route 1> Path in => out </Route>
Example 6.22 Forwarding IETF syslog over TCP The following conguration uses the to_syslog_ietf() procedure to convert input to IETF syslog and forward it over TCP:
<Extension syslog> Module xm_syslog </Extension> <Input in> Module im_file File "/var/log/input.txt" Exec $TestField = "test value"; $Message = $raw_event; </Input> <Output out> Module om_tcp Host 127.0.0.1 Port 1514 Exec to_syslog_ietf(); OutputType Syslog_TLS </Output> <Route 1> Path in => out </Route>
Because of the Syslog_TLS framing, the raw data sent over TCP will look like the following:
130 <13>1 2012-01-01T16:15:52.873750Z - - - [NXLOG@14506 EventReceivedTime="2012-01-01 17:15:52" TestField="test value"] test message 
This example shows that all elds - except those which are lled by the syslog parser - are added to the structured data part.
Example 6.24 Conditional rewrite of the syslog facility - version 2 The following example does almost the same thing as the previous example, except that the syslog parsing and rewrite is moved to a processor module and rewrite only occurs if the facility was modied. This can make it work faster on multi-core systems because the processor module runs in a separate thread. This method can also minimize UDP packet loss because the input module does not need to parse syslog messages and can process UDP packets faster.
<Extension syslog> Module xm_syslog </Extension> <Input in> Module im_udp Host 0.0.0.0 Port 514 </Input> <Processor rewrite> Module pm_null Exec parse_syslog_bsd();\ if $Message =~ /error/ \ {\ $SeverityValue = syslog_severity_value("error");\ to_syslog_bsd(); \ } </Processor> <Output fileout> Module om_file File "/var/log/logmsg.txt" </Output> <Route 1> Path in => rewrite => fileout </Route>
6.1.10
This module provides two procedures which make it possible to execute external scripts or programs. The reason for providing these two procedures through this additional extension module is to keep the nxlog core small. A security advantage is that an administrator wont be able to execute arbitrarly scripts if this module is not loaded.
Note The om_exec and im_exec modules also provide support for running external programs, though the purpose of these is to pipe data to and read data from programs. The procedures provided by the xm_exec module do not pipe log message data, these are intended for multiple invocations. Though data can be still passed to the executed script/program as command line arguments.
6.1.10.1 6.1.10.1.1
exec(string command, varargs args); description Execute the command passing it the supplied arguments and wait for it to terminate. The command is executed in the caller modules context. Note that the module calling this procedure will block until the process terminates. Use the exec_async() procedure to avoid this problem. All output written to STDOUT and STDERR by the spawned process is discarded.
arguments command type: string args type: varargs exec_async(string command, varargs args); description This procedure executes the command passing it the supplied arguments and does not wait for it to terminate. arguments command type: string args type: varargs
6.1.10.2 Conguration examples
\ exec_async("/bin/sh", "-c", echo " + $Hostname + \n\nRawEvent:\n + $raw_event + \ "|/usr/bin/mail -a "Content-Type: text/plain; charset=UTF-8" -s "ALERT" \ + user@domain.com ); \ } </Input> <Output out> Module om_file File "/var/log/messages" </Output> <Route r> Path in => out </Route>
6.1.11
Perl (xm_perl)
This module makes it possible to execute perl code and process event data using the perl language via a built-in perl interpreter. The perl interpreter is only loaded if the module is declared in the conguration. While the nxlog language is already a powerful framework, it is not intended to be a full featured programming language. For example it does not provide lists, arrays, hashes and other features available in many high-level languages. Perl is widely used for log processing and it comes with a broad set of modules bundled or available from CPAN. You can sometimes write faster code in C, but you can always write code faster in Perl. Code written in perl is also a lot safer because it is unlikely to crash. Exceptions in the perl code (croak/die) are handled properly and this will only result in an unnished attempt at executing the log processing code but will not take down the whole nxlog process. The module will parse the le specied in the PerlCode directive when nxlog and the module is started. This le should contain one or more methods which can be called from the Exec directive of any module which wants to do any log processing in perl. See the example below which illustrates the use of this module. To acccess the elds and the event data from the perl code, you need to include the Log::Nxlog module. This exports the following methods: set_eld_integer(event, key, value) Sets the integer value in the eld named key. set_eld_string(event, key, value) Sets the string value in the eld named key. set_eld_boolean(event, key, value) Sets the boolean value in the eld named key. get_eld(event, key) Retreive the value associated with the eld named key. The method returns a scalar value if the key exist and the value is dened, otherwise it returns undef. delete_eld(event, key) Delete the value associated with the eld named key. eld_type(event, key) Return a string representing the type of the value associated with the eld named key. eld_names(event) Return a list of the eld names contained in the event data. Can be used to iterate over all the elds. log_debug(msg) Send the message in the argument to the internal logger on DEBUG loglevel. Does the same as the procedure named log_debug() in nxlog. log_info(msg) Send the message in the argument to the internal logger on INFO loglevel. Does the same as the procedure named log_info() in nxlog. log_warning(msg) Send the message in the argument to the internal logger on WARNING loglevel. Does the same as the procedure named log_warning() in nxlog. log_error(msg) Send the message in the argument to the internal logger on ERROR loglevel. Does the same as the procedure named log_error() in nxlog. You should be able to read the POD documentation contained in Nxlog.pm with perldoc Log::Nxlog.
6.1.11.1 Conguration
The following directives can be used to congure the xm_perl module instance: PerlCode This mandatory directive expects a le which contains valid perl code. This le is read and parsed by the perl interpreter. Methods dened in this le can be called with the call() procedure.
6.1.11.2 6.1.11.2.1
call(string subroutine); description Calls the perl subroutine provided in the rst argument. arguments subroutine type: string perl_call(string subroutine); description Calls the perl subroutine provided in the rst argument. arguments subroutine type: string
6.1.11.3 Conguration examples
In this example logs are parsed as syslog then the data is passed to a perl method which does a GeoIP lookup on the source address of the incoming message.
# this is the method which is invoked from Exec for each event log sub process { # The event data is passed here when this method is invoked by the module my ( $event ) = @_; # We look up the county of the sender of the message my $msgsrcaddr = Log::Nxlog::get_field($event, MessageSourceAddress); if ( defined($msgsrcaddr) )
6.2
Input modules
Input modules are responsible for collecting event log data from various sources. The nxlog core will add a few elds in each input module, see the following section for the list of these.
6.2.1
The following elds are set by core: $raw_event Type string Filled with data received from stream modules (im_le, im_tcp, etc). $EventReceivedTime Type datetime Set to the time when the event is received. The value is not modied if the eld already exists. $SourceModuleName Type string The name of the module instance is stored in this eld for input modules. The value is not modied if the eld already exists. $SourceModuleType Type string The type the module instance (such as im_le) is stored in this eld for input modules. The value is not modied if the eld already exists.
6.2.2
FIXME
6.2.2.1
DBI (im_dbi)
Conguration examples
6.2.3
Program (im_exec)
This module will execute a program or script on startup and will read its standard output. It can be used to easily integrate with exotic log sources which can be read only with the help of scripts or programs.
6.2.3.1
Conguration
In addition to the common module directives, the following can be used to congure the im_exec module instance. Command This directive is mandatory. It species the name of the script/program to be executed. Arg This is an optional parameter, multiple can be specied for each argument needed to pass to the Command. Note that specifying multiple arguments with one Arg directive separated with spaces will not work because the Command will receive it as one argument, so you will need to split them up. InputType See the description about InputType in the global module cong section. Restart Restart the process if it exits. There is a 1 second delay before it is restarted in order not to DOS the system when a process is not behaving nicely. Looping should be implemented in the script itself, this directive is only to provide some safety against malfunctioning scripts and programs. This boolean directive defaults to FALSE.
6.2.3.2 Conguration examples
This exact same conguration is not recommended for real use because im_le was designed to read log messages from les. This example only demonstrates the use of the im_exec module.
6.2.4
File (im_le)
This module can be used to read log messages from les. The le position can be persistently saved across restarts in order to avoid reading from the beginning again when nxlog is restarted. It also supports external rotation tools. When the module cannot read any more data from the le, it checks whether the opened le descriptor belongs to the same lename it opened originally. If the inodes differ, the module assumes the le was moved and reopens its input. im_le uses a 1 second interval to monitor les for new messages. This method was implemented because polling a regular le is not supported on all platforms. If there is no more data to read, the module will sleep for 1 second. By using wildcards, the module can read multiple les simultaneously and will open new les as they appear. It will also enter newly created directories if recursion is enabled.
6.2.4.1 Conguration
In addition to the common module directives, the following can be used to congure the im_le module instance.
File This mandatory directive species the name of the input le to open. It must be a string type expression. For relative lenames you should be aware that nxlog changes its working directory to / unless the global SpoolDir is set to something else. On Windows systems the directory separator is backslash. For compatibility reasons the forward slash / character can be also used as the directory separator, but this only works for lenames which dont contain wildcards. If the lename is specied using wildcards, you should use backslash for the directory separator. Wildcards are supported in lenames only, directory names in the path cannot be wildcarded. Wildcards are not regular expressions, these are patterns commonly used by unix shells to expand lenames which is also known as globbing. ? Matches a single character only. * Matches zero or more characters. \* Matches the asterisk * character. \? Matches the question mark ? character. [...] Used to specify a single character. If the rst character of the class description is  or !, the sense of the description is reversed. The rest of the class description is a list of single characters or pairs of characters separated by -. Any of those characters can have a backslash in front of them, which is ignored; this lets you use the characters ] and - in the character class, as well as  and ! at the beginning.
Note The backslash character \ is used to escape the wildcard characters, unfortunately this is the same as the directory separator on Windows. Take this into account when specifying wildcarded lenames on this platform. Lets suppose that we have log les under the directory C:\test which need to be monitored. Specifying the wildcard C:\test\*.log will not match because \* becomes a literal asterisk, thus it is treated as a non-wildcarded lename. For this reason the directory separator needs to be escaped, so the C:\test\\*.log will match our les. C:\\test\\*.log will also work. When specifying the lename using double quotes, this would became "C:\\test\\\\*.log" because the backslash is also used as an escape character inside double quoted string literals. Filenames on Windows systems are treated case-insensitively. Unix/Linux is case-sensitive.
SavePos This directive takes a boolean value of TRUE or FALSE and species whether the le position should be saved when nxlog exits. The le position will be read from the cache le le upon startup. The le position is saved by default if this directive is not specied in the conguration. Even if SavePos is enabled, it can be explicitly turned off with the NoCache directive. ReadFromLast This optional directive takes a boolean value. If it is set to TRUE, it instructs the module to only read logs which arrived after nxlog was started in case the saved position could not be read (for example on rst start). When SavePos is TRUE and a previously saved position value could be read, the module will resume reading from this saved position. If this is FALSE, the module will read all logs from the le. This can result in quite a lot of messages which is usually not the expected behaviour. If this directive is not specied, it defaults to TRUE. Recursive This directive takes a boolean value of TRUE or FALSE and species whether input les should be searched recursively under subdirectories. The default value is TRUE. This option takes effect only if wildcards are used in the lename. For example if /var/log/*.log is specied in the File directive, then /var/log/apache2/access.log will also match. Because wildcards in directory names of the path are not supported, this directive makes it possible to read multiple les from different subdirectories with a single im_le module instance only. PollInterval This directive species in seconds how frequently the module will check for new les and new log entries. If this directive is not specied it defaults to 1 second. Fractional seconds may be specied, i.e. to check twice every second you should set the following: PollInterval 0.5 InputType See the description about InputType in the global module cong section.
6.2.4.2 6.2.4.2.1 Functions and procedures exported by im_le Functions exported by im_le
string file_name();
description Return the name of the le currently open which the log was read from. return type string
6.2.4.3 Conguration examples
6.2.5
Internal (im_internal)
This module makes it possible to insert internal log messages of nxlog into a route. nxlog generates messages about error conditions, debugging messages, etc. In addition internal messages can be also generated from the nxlog language using the log_info(), log_warning() and log_error() procedure calls.
Note Only messages with loglevel INFO and above are supported. Debug messages are ignored due to technical reasons. For debugging purposes the direct logging facility should be used, see the global LogFile and LogLevel directives. One must be careful about the use of the im_internal module because it is easy to cause a message loop. For example consider the situation when the internal messages are sent to a database. If the database is experiencing errors which result in internal error messages then these are again routed to the database and this will trigger further error messages and is easy to see that this will result in a loop. In order to avoid a resource exhaustion, the im_internal module will drop its messages when the queue of next module in the route is full. It is recommended to always put the im_internal module instance in a separate route.
The im_internal does not have any module specic conguration directives in addition to the common module directives.
Note If you require internal messages in syslog format, you need to explicitely convert them with pm_transformer or using the to_syslog_bsd() procedure of the xm_syslog module, because the $raw_event eld is not generated in syslog format.
6.2.5.1
The following elds are set by im_internal: $raw_event Type string Will be set to the string passed to the log_info() and other log() procedures.
$Message Type string Set to the same value as $raw_event. $SeverityValue Type integer Depending on the log level of the internal message, the syslog severity is set to the value corresponding to "debug", "info", "warning", "error" or "critical". $Severity Type string The severity name of the event. $EventTime Type datetime Will be set to the current time. $SourceName Type string Will be set to nxlog. $ProcessID Type integer The eld is lled with the process id of the nxlog process. $Hostname Type string The hostname where the log is produced $ErrorCode Type integer If an error is logged resulting from an OS error, this eld contains the error number provided by the Apache portable runtime library.
6.2.5.2 Conguration examples
6.2.6
Kernel (im_kernel)
This module can collect kernel log messages from the kernel log buffer. Currently this module works on linux only. On Linux the klogctl() system call is used for this purpose. In order to be able to read kernel logs, special privileges are required. For this reason nxlog needs to be started as root. Using the User and Group global directives nxlog can then drop its root privileges but it will keep the CAP_SYS_ADMIN capability to be able to read the kernel log buffer.
Note Unfortunately it is not possible to read from the /proc/kmsg pseudo le for an unprivileged process even if the CAP_SYS_ADMIN capability is kept. For this reason the /proc/kmsg interface is not supported by the im_kernel module. The im_le module should work ne with the /proc/kmsg pseudo le if one wishes to collect kernel logs this way, though this will require nxlog to be running as root.
Note Kernel messages are valid BSD syslog messages but do not contain timestamp and hostname elds. These can be parsed with pm_transformer or using the parse_syslog_bsd() procedure of the xm_syslog module, this will set the timestamp and hostname elds.
6.2.6.1
Conguration examples
im_kernel
<Output fileout> Module om_file File "tmp/output" </Output> <Route 1> Path </Route>
6.2.7
Mark (im_mark)
Mark messages are used to indicate periodic activity in order to be assured that the logger is running in case there are no log messages coming in from other sources. By default, without specifying any of the module specic directives, a log message is emitted every 30 minutes containing "-MARK --".
Note If you require mark messages in syslog format, you need to explicitely convert them with pm_transformer or using the to_syslog_bsd() procedure of the xm_syslog module, because the $raw_event eld is not generated in syslog format.
Note The functionality of the im_mark module can be also achieved using the Schedule block with a log_info("--MARK--") Exec statement which would insert the messages via the im_internal module into a route. Using a single module for this task can simplify and possibly make the conguration easier to understand. Just wanted to point out that "there is more than one way to do it" :)
6.2.7.1
Conguration
In addition to the common module directives, the following can be used to congure the im_mark module instance. Mark This optional directive can set the string for the mark message. If not specied, the default is "-- MARK --". MarkInterval This optional directive sets the interval for mark messages in minutes. If not specied, the default value of 30 minutes is used.
6.2.7.2 Fields generated by im_mark
The following elds are set by im_mark: $raw_event Type string Will be set to "-- MARK --" or the value dened with the Mark conguration directive. $Message Type string Set to the same value as $raw_event. $SeverityValue Type integer Its value will be set to 6 which is the "info" severity level. $Severity Type string The severity name of the event. $EventTime Type datetime Will be set to the current time. $SourceName Type string Will be set to nxlog. $ProcessID Type integer The eld is lled with the process id of the nxlog process.
6.2.7.3 Conguration examples
6.2.8
This module can be used to collect EventLog messages on Microsoft Windows platforms. The module looks up the available EventLog sources stored under the registry key "SYSTEM\\CurrentControlSet\\Services\\Eventlog" and will poll logs from each of these or only the sources dened with the Sources directive.
Note Windows Vista, Windows 2008 and later use a new EventLog API which is not backward compatible. Messages in some events produced by sources in this new format cannot be resolved with the old API which is used by this module. If such an event is encountered, a Message similar to the following will be set:
The description for EventID XXXX from source SOURCE cannot be read by im_mseventlog because this does not support the newer WIN2008/Vista EventLog API.
Though the majority of event messages can be read with this module even on Windows 2008/Vista and later, it is recommended to use the im_msvistalog module instead.
Note Strings are stored in dll and executable les and these need to be looked up by the module when reading eventlog messages. If a program (dll/exe) is already uninstalled and cannot be opened to look up the strings in the message, the following message will appear instead:
The description for EventID XXXX from source SOURCE cannot be found.
6.2.8.1
Conguration
In addition to the common module directives, the following can be used to congure the im_mseventlog module instance. SavePos This directive takes a boolean value of TRUE or FALSE and species whether the le position should be saved when nxlog exits. The le position will be read from the cache le upon startup. The le position is saved by default if this directive is not specied in the conguration. Even if SavePos is enabled, it can be explicitly turned off with the NoCache directive. ReadFromLast This optional directive takes a boolean value. If it is set to TRUE, it instructs the module to only read logs which arrived after nxlog was started in case the saved position could not be read (for example on rst start). When SavePos is TRUE and a previously saved position value could be read, the module will resume reading from this saved position. If this is FALSE, the module will read all logs from the EventLog. This can result in quite a lot of messages which is usually not the expected behaviour. If this directive is not specied, it defaults to TRUE. Sources This optional directive takes a comma separated list of eventlog le names, such as Security, Application, to read only specic eventlog sources. If this directive is not specied, then all available eventlog sources are read (as listed in the registry). This directive should not be confused with the SourceName containted within the eventlog and it is not a list of such names. The value of this is stored in the FileName eld. UTF8 This optional directive takes a boolean value. If it is set to TRUE, all strings will be converted to UTF-8 encoding. Internally this calls the convert_elds procedure. The xm_charconv module must be loaded for the character set conversoion to work. If this UTF8 directive is not dened, it defaults to TRUE, but conversion will only occur if the xm_charconv module is loaded, otherwise strings will be in the local codepage.
6.2.8.2 Fields generated by im_mseventlog
The following elds are set by im_mseventlog: $raw_event Type string Contains the timestamp, hostname, severity and message from the event $Message Type string Contains the message from the event $EventTime Type datetime Will be set to the TimeGenerated eld of the EventRecord.
$EventTimeWritten Type datetime Will be set to the TimeWritten eld of the EventRecord. $Hostname Type string The host or computer name eld of the EventRecord. $SourceName Type string The event source which produced the event, this is the subsystem or application name. $EventID Type integer The event id of the EventRecord. $CategoryNumber Type integer The category number, stored as Category in the EventRecord. $Category Type string The category name resolved from CategoryNumber. $FileName Type string The logle source (e.g. Security, Application) of the event. $AccountName Type string The username associated with the event. $AccountType Type string The type of the account. Possible values are: User, Group, Domain, Alias, Well Known Group, Deleted Account, Invalid, Unknown, Computer. $Domain Type string The domain name of the user. $SeverityValue Type integer Normalized severity number of the event. $Severity Type string Normalized severity name of the event. $EventType Type string The type of the event which is a string describing the severity. It takes the following values: "ERROR", "AUDIT_FAILURE", "AUDIT_SUCCESS", "INFO", "WARNING", "UNKNOWN" $RecordNumber Type integer The number of the event record.
6.2.8.3 Conguration examples
in => out
6.2.9
This module can be used to collect EventLog messages on Microsoft Windows platforms which support the newer EventLog API (also known as the Crimson Eventlog subsystem), namely Windows 2008/Vista and later. You can refer to the ofcial Microsoft documentation about Event Logs. The module supports reading all System, Application and Custom events. It looks up the available channels and monitors events in each unless the Query and the Channel directives are explicitely dened. Event logs can be collected from remote servers over MS RPC (Note: Enterprise Edition only).
Note This module will not work on Windows 2003 and earlier because Windows Vista, Windows 2008 and later use a new EventLog API which is not available in earlier Windows versions. If you need to collect EventLog messages on these platforms, you should use the im_mseventlog module instead.
Note The Windows EventLog subsystem does not support subscriptions to Debug and Analytic channels, thus it is not possible to collect these type of events with this module.
In addition to the standard set of elds which are listed under the System section, event providers can dene their own additional schema which enables logging additional data under the EventData section. The Security log makes use of this new feature and such additional elds can be seen as in the following XML snippet:
<EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">WIN-OUNNPISDHIG$</Data> <Data Name="SubjectDomainName">WORKGROUP</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="TargetUserSid">S-1-5-18</Data> <Data Name="TargetUserName">SYSTEM</Data> <Data Name="TargetDomainName">NT AUTHORITY</Data> <Data Name="TargetLogonId">0x3e7</Data> <Data Name="LogonType">5</Data> <Data Name="LogonProcessName">Advapi</Data> <Data Name="AuthenticationPackageName">Negotiate</Data> <Data Name="WorkstationName" /> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x1dc</Data> <Data Name="ProcessName">C:\Windows\System32\services.exe</Data> <Data Name="IpAddress">-</Data> <Data Name="IpPort">-</Data> </EventData>
nxlog can extract this data when elds are logged using this schema. The values will be available in the elds of the internal nxlog log structure. This is especially useful because there is no need to write pattern matching rules to extract this data from the message. These elds can be used in ltering rules, writing them into SQL tables or to trigger actions. Consider the following example which lters using the Exec directive:
<Input in> Module Exec </Input> im_msvistalog if ($TargetUserName == SYSTEM) OR ($EventType == VERBOSE) drop();
6.2.9.1
Conguration
In addition to the common module directives, the following can be used to congure the im_msvistalog module instance. SavePos This directive takes a boolean value of TRUE or FALSE and species whether the le position should be saved when nxlog exits. The le position will be read from the cache le upon startup. The le position is saved by default if this directive is not specied in the conguration. Even if SavePos is enabled, it can be explicitly turned off with the NoCache directive. ReadFromLast This optional directive takes a boolean value. If it is set to TRUE, it instructs the module to only read logs which arrived after nxlog was started in case the saved position could not be read (for example on rst start). When SavePos is TRUE and a previously saved position value could be read, the module will resume reading from this saved position. If this is FALSE, the module will read all logs from the EventLog. This can result in quite a lot of messages which is usually not the expected behaviour. If this directive is not specied, it defaults to TRUE. Query This directive species the query if one wishes to pull only specic eventlog sources. See the MSDN docs about Event Selection. Note that this directive needs a single-line parameter, so multi-line query XML should be specied with line continuation marks (\) as in the following example:
Query <QueryList> <Query Id=1> <Select Path=Security>*[Security/Level=4]</Select> </Query> </QueryList> \ \ \ \
When the Query contains an XPath style expression, the Channel must also be specied. Otherwise if an XML Query is specied, the Channel should not be used. Channel The name of the Channel to query. If not specied, the module will read from all sources dened in the registry. See the MSDN docs about Event Selection. PollInterval This directive species in seconds how frequently the module will check for new events. If this directive is not specied it defaults to 1 second. Fractional seconds may be specied, i.e. to check twice every second you should set the following: PollInterval 0.5
6.2.9.2 Fields generated by im_msvistalog
The following elds are set by im_msvistalog: $raw_event Type string Contains the EventTime, Hostname, Severity EventID and Message from the event. $Message Type string Contains the message from the event. $EventTime Type datetime Will be set to the EvtSystemTimeCreated eld. $Hostname Type string Contains the EvtSystemComputer eld. $SourceName Type string The event source which produced the event, this is the EvtSystemProviderName eld. $EventID Type integer The event id as in EvtSystemEventID. $Task Type integer The task number as in EvtSystemTask.
$Category Type string The category name resolved from Task. $Keywords Type integer The value of the Keywords eld from EvtSystemKeywords. $Channel Type string The Channel (e.g. Security, Application) of the event source. $AccountName Type string The username associated with the event. $AccountType Type string The type of the account. Possible values are: User, Group, Domain, Alias, Well Known Group, Deleted Account, Invalid, Unknown, Computer. $Domain Type string The domain name of the user. $UserID Type string The SID which resolves to AccountName, stored in EvtSystemUserID. $SeverityValue Type integer Normalized severity number of the event. $Severity Type string Normalized severity name of the event (CRITICAL|ERROR|WARNING|INFO|DEBUG). $EventType Type string The type of the event which is a string describing the severity. This is translated to its string representation from EvtSystemLevel. It takes the following values: "CRITICAL", "ERROR", "AUDIT_FAILURE", "AUDIT_SUCCESS", "INFO", "WARNING", "VERBOSE" $ProviderGuid Type string The GUI of the events provider as stored in EvtSystemProviderGuid. This corresponds to the name of the provider stored in the SourceName eld. $Version Type integer The Version number of the event as in EvtSystemVersion. $OpcodeValue Type integer The Opcode number of the event as in EvtSystemOpcode. $Opcode Type string The opcode string resolved from OpcodeValue. $ActivityID Type string The ActivityID as stored in EvtSystemActivityID. $RelatedActivityID Type string The RelatedActivityID as stored in EvtSystemRelatedActivityID. $ProcessID Type integer The process identier of the event producer as in EvtSystemProcessID. $ThreadID Type integer The thread identier of the event producer as in EvtSystemThreadID. $RecordNumber Type integer The number of the event record.
6.2.9.3
Conguration examples
in => out
6.2.10
Null (im_null)
This module does not generate any input, so basically it does nothing. Yet it can be useful for creating a dummy route, testing purposes, and it can have Scheduled nxlog code execution as well, so it is not completely useless. This module does not have any module specic conguration directives. See this example for usage.
6.2.11
TLS/SSL (im_ssl)
The im_ssl module provides an SSL/TLS transport using the OpenSSL library beneath the surface. It behaves similarly to the im_tcp module, except that an SSL handshake is performed at connection time and the data is sent over a secure channel. Because log messages transferred over plain TCP can be eavasdropped or even altered with a man-in-the-middle attack, using the im_ssl module provides a secure log message transport.
6.2.11.1 Conguration
In addition to the common module directives, the following can be used to congure the im_ssl module instance. Host This species the IP address or a dns hostname which the module should listen on to accept connections. Port This species the port number which the module will listen on for incoming conenctions. CertFile This species the path of the certicate le to be used in the SSL handshake. CertKeyFile This species the path of the certicate key le to be used in the SSL handshake. KeyPass Optional password of the certicate key le dened in CertKeyFile. For passwordless private keys the directive is not needed. CAFile This species the path of the certicate of the CA which will be used to check the certicate of the remote socket against. CADir This species the path of CA certicates which will be used to check the certicate of the remote socket against. The cert le names in this directory must be in the OpenSSL hashed format. CRLFile This species the path of the certicate revocation list (CRL) which will be used to check the certicate of the remote socket against. CRLDir This species the path of certicate revocation lists (CRLs) which will be used to check the certicate of the remote socket against. The le names in this directory must be in the OpenSSL hashed format.
RequireCert This takes a boolean value of TRUE or FALSE and species whether the remote must present a certicate. If set to TRUE and there is no certicate presented during the handshake of the accepted connection, the connection will be refused. The default value is TRUE if this directive is not specied, meaning that all connections must use a certicate by default. AllowUntrusted This takes a boolean value of TRUE or FALSE and species whether the remote connection should be allowed without certicate verication. If set to TRUE the remote will be able to connect with unknown and self-signed certicates. The default value is FALSE if this directive is not specied, meaning that all connections must present a trusted certicate by default. InputType See the description about InputType in the global module cong section.
6.2.11.2 Fields generated by im_ssl
The following elds are set by im_ssl: $raw_event Type string Will be set to the string received. $MessageSourceAddress Type string Set to the IP address of the remote host.
6.2.11.3 Conguration examples
Example 6.36 Reading binary data forwarded from another nxlog agent
<Input ssl> Module im_ssl Host localhost Port 23456 CAFile %CERTDIR%/ca.pem CertFile %CERTDIR%/client-cert.pem CertKeyFile %CERTDIR%/client-key.pem KeyPass secret InputType Binary </Input> <Output fileout> Module om_file File "tmp/output" </Output> <Route 1> Path ssl => fileout </Route>
6.2.12
TCP (im_tcp)
This module accepts TCP connections on the address and port specied in the conguration. It can handle multiple simultaneous connections. The TCP transfer protocol provides more reliable log transmission than UDP. If security is a concern, consider using the im_ssl module instead.
Note There is no access control built in the module. If you need to deny some hosts connecting to the modules TCP port, you should use appropriate rewall rules for this purpose.
6.2.12.1
Conguration
In addition to the common module directives, the following can be used to congure the im_tcp module instance. Host This species the IP address or a dns hostname which the module should listen on to accept connections.
Note Because of security reasons the default listen address is localhost if this directive is not specied (the localhost loopback address is not accessible from the outside). You will most probably want to send logs from remote hosts, so make sure that the address specied here is accessible. The any address 0.0.0.0 is commonly used here.
Port This species the port number which the module will listen on for incoming conenctions. The default port is 514 if this directive is not specied. InputType See the description about InputType in the global module cong section.
6.2.12.2 Fields generated by im_tcp
The following elds are set by im_tcp: $raw_event Type string Will be set to the string received. $MessageSourceAddress Type string Set to the IP address of the remote host.
6.2.12.3 Conguration examples
6.2.13
UDP (im_udp)
This module accepts UDP datagrams on the address and port specied in the conguration. UDP is the transport protocol of the old BSD syslog standard as described in RFC 3164, so this module can be particularly useful to receive such messages from older devices which do not support other transports.
Note There is no access control built in the module. If you need to deny some hosts sending logs to the modules UDP port, you should use appropriate rewall rules for this purpose.
Note UDP packets can be dropped by the operating system because the protocol does not guarantee reliable message delivery. It is recommended to use the tcp or ssl transport modules instead if message loss is a concern. Though nxlog was designed to minimize message loss even in the case of UDP, adjusting the kernel buffers could also help in avoiding UDP message loss on a loaded system. The Priority directive in the route block can also help in this situation.
For parsing syslog messages, take a look at the pm_transformer module or the parse_syslog_bsd() procedure of the xm_syslog.
6.2.13.1 Conguration
In addition to the common module directives, the following can be used to congure the im_udp module instance. Host This species the IP address or a dns hostname which the module should listen on to accept connections. The default address is "localhost" if this is not specied. Port This species the port number which the module will listen on for incoming conenctions. The default port is 514 if this directive is not specied. SockBufSize This optional directive sets the socket buffer size (SO_RCVBUF) to the value specied. Otherwise the OS defaults are used. If you are experiencing UDP packet loss at the kernel level, setting this to a high value (e.g. 150000000) may help. On Microsoft Windows systems the default socket buffer size is extremely low, using this option is highly recommended. InputType See the description about InputType in the global module cong section.
6.2.13.2 Fields generated by im_udp
The following elds are set by im_udp: $raw_event Type string Will be set to the string received. $MessageSourceAddress Type string Set to the IP address of the remote host.
6.2.13.3
Conguration examples
6.2.14
This module allows log messages to be received over a unix domain socket. Traditionally unix systems have a socket, typically /dev/log used by the system logger to accept messages from. Applications wishing to send messages to the system log use the syslog(3) system call.
Note This module supports SOCK_DGRAM type sockets only. SOCK_STREAM type sockets may be supported in the future.
Note It is recommended to disable FlowControl when this module is used to collect local syslog from the /dev/log unix domain socket. Otherwise the syslog() system call will block in all programs which are trying to write to the system log if the Output queue becomes full and this will result in an unresponsive system.
For parsing syslog messages, take a look at the pm_transformer module or the parse_syslog_bsd() procedure of the xm_syslog.
6.2.14.1 Conguration
In addition to the common module directives, the following can be used to congure the im_uds module instance. UDS This species the path of the unix domain socket. The default is /dev/log if this is not specied. InputType See the description about InputType in the global module cong section. This defaults to dgram if not specied because unix domain sockets are SOCK_DGRAM type on Linux and the module does not yet support SOCK_STREAM sockets.
6.2.14.2
Conguration examples
6.3
6.3.1
Processor modules
Blocker (pm_blocker)
This module can block log messages and can be used to simulate when a route is blocked. When the module blocks the data ow, log messages are rst accumulated in the buffers, and then the ow-control mechanism pauses the input modules. Using the block() procedure it is possibile to programatically stop or resume the data ow. It can be useful for real-world scenarios as well as testing. See the examples below. When the module starts, the blocking mode is disabled by default, i.e. it operate just like pm_null would.
6.3.1.1 6.3.1.1.1 Functions and procedures exported by pm_blocker Functions exported by pm_blocker
boolean is_blocking(); description Return TRUE if the module is currently blocking the data ow, FALSE otherwise. return type boolean
6.3.1.1.2 Procedures exported by pm_blocker
block(boolean mode); description When mode is TRUE, the module will block. You should call block(FALSE) from a schedule block or another module, otherwise it might not get invoked if the queue is already full. arguments mode type: boolean
6.3.1.2
Conguration examples
Example 6.40 Using the pm_blocker module In this example we collect messages received over UDP and forward it to another host via TCP. The log data is forwarded during non-working hours between 19 pm and 8 am. During the other half of the day data is buffered on the disk to be sent out only after 19 pm.
<Input in> Module im_udp Host 0.0.0.0 Port 1514 </Input> <Processor buffer> Module pm_buffer # 100Mb disk buffer MaxSize 102400 Type disk </Processor> <Processor blocker> Module pm_blocker <Schedule> When 0 8 * * * Exec blocker->block(TRUE); </Schedule> <Schedule> When 0 19 * * * Exec blocker->block(FALSE); </Schedule> </Processor> <Output out> Module om_tcp Host 192.168.1.1 Port 1514 </Output> <Route 1> Path in => buffer => blocker => out </Route>
6.3.2
Buffer (pm_buffer)
Messages received over UDP may be dropped by the operating system unless packets are read from the message buffer fast enough. Some logging subsystems using a small circular buffer can also overwrite logs old logs in the buffer if it is not read, thus there is a chance of missing important log data. Such situations can lead to dropped or lost messages and other problems where buffering can help. The pm_buffer module supports disk and memory based log message buffering. If both are required, multiple pm_buffer instances can be used with different settings. Because a memory buffer can be faster, though its size is limited, combining memory and disk based buffering can be a good idea in case buffering is frequently used. The disk based buffering mode stores the log message data in chunks. When all the data is successfully forwarded from a chunk, it is then deleted in order to save disk space.
Note Using pm_buffer is only recommended when there is a chance of message loss. The built-in ow-control in nxlog ensures that messages will not be read by the input module until the output side can send/store/forward. When reading from les (with im_le) or the Windows Eventlog (with im_mseventlog or im_msvistalog) it is rarely necessary to use the pm_buffer module unless there is a chance of log rotation (and thus a possibility of missing some data) while the output module (e.g. TCP or SSL) is being blocked.
6.3.2.1
Conguration
In addition to the common module directives, the following can be used to congure the pm_buffer module instance. MaxSize Species the size of the buffer in kilobytes. This paramater is mandatory. WarnLimit Species an optional limit smaller than MaxSize which will trigger a warning message when reached. The log message will not be emitted again until the buffer size drops to half of WarnLimit and reaches it again in order to protect against a warning message ood. Type Type can be either Mem or Disk to select memory or disk based buffering respectively. Directory Name of the directory used to store the disk buffer le chunks. This is only valid with Type set to Disk mode.
6.3.2.2 6.3.2.2.1 Functions and procedures exported by pm_buffer Functions exported by pm_buffer
integer buffer_size(); description Return the size of the memory buffer in bytes. return type integer integer buffer_count(); description Return the number of log messages held in the memory buffer. return type integer
6.3.2.3
Conguration examples
Example 6.41 Using a memory buffer to protect against udp message loss
<Input udp> Module im_udp Host 0.0.0.0 Port 514 </Input> <Processor buffer> Module pm_buffer # 1Mb buffer MaxSize 1024 Type Mem # warn at 512k WarnLimit 512 </Processor> <Output tcp> Module om_tcp Host 192.168.1.1 Port 1514 </Output> <Route 1> Path udp => buffer => tcp </Route>
6.3.3
The pm_evcorr module provides event correlation functionality in addition to the already available nxlog language features such as variables and statistical counters which can be also used for event correlation purposes. This module was greatly inspired by the Perl based correlation tool SEC. Some of the rules of the pm_evcorr module were designed to mimic those available in SEC. This module aims to be a better alternative to SEC with the following advantages: The correlation rules in SEC work with the current time. With pm_evcorr it is possible to specify a time eld wich is used for elapsed time calculation making ofine event correlation also possible. SEC uses regular expressions extensively which can become quite slow in case of many correlation rules. In contrast this module can correlate preprocessed messages using elds for example from the pattern matcher and the syslog parser without requiring the use of regular expressions (though these are also available for use by correlation rules). Thus testing conditions can be signicantly faster when simple comparison is used instead of regular expression based pattern matching. This module was designed to operate on elds thus making it possible to correlate structured logs in addition to simple freeform log messages. Most importantly, this module is written in C and SEC is pure Perl which could have major performance benets. The rulesets of this module can use a context. A context is an expression which is evaluated during runtime to a value and the correlation rule is checked in the context of this value. For example if we wanted to count the number of failed logins per user and alert if the failed logins exceed 3 for the user, then wed use the $AccountName as the context. There is a separate context storage is for each correlation rule instance. If you need global contexts accessible from all rule instances, take a look at module variables and statistical counters.
6.3.3.1
Conguration
The pm_evcorr conguration contains correlation rules which are evaluated for each log message processed by the module. Currently there are ve rule types supported by pm_evcorr: Simple, Suppressed, Pair, Absence and Thresholded. These rules are dened in cong blocks. The order of the rules is important because the rules are evaluated in the order they are dened. For example a correlation rule can change a state, variable or eld which can be then used by a later rule. File inclusion can be useful to move the correlation rules into a standalone le. In addition to the common module directives, the following can be used to congure the pm_evcorr module instance. TimeField Species the name of the eld to use for calculating elapsed time such as EventTime. The name of the eld must be specied without the leading dollar "$" sign. If this parameter is not specied, the current time is assumed. This directive makes it possible to accurately correlate events based on the event time recorded in the logs and to do non real-time event correlation also. ContextCleanTime When a Context is used in the correlation rules, these must be purged from memory after they are expired, otherwise using too many context values could result in a high memory usage. This optional directive species the interval between context cleanups in seconds. By default a 1 minute cleanup interval is used if any rules use a Context and this directive is not specied. Simple This rule is essentially the same as the Exec directive supported by all modules. Because Execs are evaluated before the correlation rules, the Simple rule was also needed to be able to evaluate a statement as the other rules do, following the rule order. The Simple block has one directive also with the same name. Exec One or more Exec directives must be specied which takes a statement as argument. Suppressed This rule matches the given condition. If the condition evaluates to TRUE, the statement specied with the Exec directive is evaluated. The rule will then ignore any log messages for the time specied with Interval directive. For example this rule is useful to suppress creating many alerts in a short period when a condition is satised. Condition This mandatory directive takes an expression as argument which must evaluate to a boolean value. Interval This mandatory directive takes an integer argument specifying the number of seconds to ignore the condition. The TimeField directive is used to calculate time. Context This optional directive species an expression to be used as the context. It must evaluate to a value. Most often a eld is specied here. Exec One or more Exec directives must be specied which takes a statement as argument. Pair When TriggerCondition evaluates to TRUE, this rule type will wait Interval seconds for RequiredCondition to become TRUE, it then executes the statement(s) in the Exec directive(s). TriggerCondition This mandatory directive takes an expression as argument which must evaluate to a boolean value. RequiredCondition This mandatory directive takes an expression as argument which must evaluate to a boolean value. When this evaluates to TRUE after TriggerCondition evaluated to TRUE within Interval seconds, the statement(s) in the Exec directive(s) are executed. Interval Thisdirective takes an integer argument specifying the number of seconds to wait for RequiredCondition to become TRUE. If this directive is 0 or not specied, the rule will wait indenitely for RequiredCondition to become TRUE. The TimeField directive is used to calculate time. Context This optional directive species an expression to be used as the context. It must evaluate to a value. Most often a eld is specied here. Exec One or more Exec directives must be specied which takes a statement as argument. Absence This rule type does the opposite of Pair. When TriggerCondition evaluates to TRUE, this rule type will wait Interval seconds for RequiredCondition to become TRUE. If it does not become TRUE it then executes the statement(s) in the Exec directive(s). TriggerCondition This mandatory directive takes an expression as argument which must evaluate to a boolean value. RequiredCondition This mandatory directive takes an expression as argument which must evaluate to a boolean value. When this evaluates to TRUE after TriggerCondition evaluated to TRUE within Interval seconds, the statement(s) in the Exec directive(s) are NOT executed.
Interval This mandatory directive takes an integer argument specifying the number of seconds to wait for RequiredCondition to become TRUE. Its value must be greater than 0. The TimeField directive is used to calculate time. Context This optional directive species an expression to be used as the context. It must evaluate to a value. Most often a eld is specied here. Exec One or more Exec directives must be specied which takes a statement as argument.
Note The evaluation of this Exec is not triggered by a log event, thus it does not make sense to use log data related operations such as accessing elds.
Thresholded This rule will execute the statement(s) in the Exec directive(s) if the Condition evaluates to TRUE Threshold or more times during the Interval specied. The advantage of this rule over the use of statistical counters is that the time window is dynamic and shifts as log messages are processed. Thus the problem described in this example is not present with this rule. Condition This mandatory directive takes an expression as argument which must evaluate to a boolean value. Interval This mandatory directive takes an integer argument specifying a time window for Condition to become TRUE. Its value must be greater than 0. The TimeField directive is used to calculate time. This time window is dynamic, meaning that it will shift. Threshold This mandatory directive takes an integer argument specifying the number of times Condition must evaluate to TRUE within the given time Interval. When the treshold is reached, the module executes the statement(s) in the Exec directive(s). Context This optional directive species an expression to be used as the context. It must evaluate to a value. Most often a eld is specied here. Exec One or more Exec directives must be specied which takes a statement as argument. Stop This rule will stop evaluating successive rules if the Condition evaluates to TRUE. The optional Exec directive will be evaluated in this case. Condition This mandatory directive takes an expression as argument which must evaluate to a boolean value. When it evaluates to TRUE, the correlation rule engine will stop checking any further rules. Exec One or more Exec directives can be specied which takes a statement as argument. This will be evaluated when the specied Condition is satised. This Exec directive is optional.
6.3.3.2
Conguration examples
Example 6.42 Correlation rules This following conguration sample contains a rule for each type.
<Input in> Module im_file File "modules/processor/evcorr/testinput_evcorr2.txt" SavePos FALSE ReadFromLast FALSE Exec if ($raw_event =~ /^(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d) (.+)/) { $EventTime = parsedate($1); $Message = $2; $raw_event = $Message; } </Input> <Input internal> Module im_internal Exec $raw_event = $Message; Exec $EventTime = 2010-01-01 00:01:00; </Input> <Output out> Module om_file File tmp/output </Output> <Processor evcorr> Module pm_evcorr TimeField EventTime <Simple> Exec if $Message =~ /^simple/ $raw_event = "got simple"; </Simple> <Suppressed> # match input event and execute an action list, but ignore the following # matching events for the next t seconds. Condition $Message =~ /^suppressed/ Interval 30 Exec $raw_event = "suppressing.."; </Suppressed> <Pair> # If TriggerCondition is true, wait Interval seconds for RequiredCondition to be true and  then do the Exec # If Interval is 0, there is no window on matching TriggerCondition $Message =~ /^pair-first/ RequiredCondition $Message =~ /^pair-second/ Interval 30 Exec $raw_event = "got pair"; </Pair> <Absence> # If TriggerCondition is true, wait Interval seconds for RequiredCondition to be true. # If RequiredCondition does not become true within the specified interval then do the  Exec TriggerCondition $Message =~ /^absence-trigger/ RequiredCondition $Message =~ /^absence-required/ Interval 10 Exec log_info("absence-required not received within 10 secs"); </Absence> <Thresholded> # if the number of events exceeeds the given threshold within the interval do the Exec # Same as SingleWithThreshold in SEC Condition $Message =~ /^thresholded/
\ \ \ \
6.3.4
Filter (pm_lter)
This is a simple module which forwards log messages if the specied condition is TRUE.
Note This module has been obsoleted by the nxlog language because ltering is now possible in any module using the drop() procedure conditionally in the Exec directive.
6.3.4.1
Conguration
In addition to the common module directives, the following can be used to congure the pm_lter module instance. Condition This mandatory directive takes an expression as argument which must evaluate to a boolean value. If the expression does not evaluate to TRUE, the log message is discarded.
6.3.4.2 Conguration examples
6.3.5
This module can be used to lter out repeating messages. Similarly to syslog daemons, this module checks the previous message against the current. If they match, the current message is dropped. The module waits one second for duplicated messages to arrive. If duplicates are detected, the rst message is forwarded, the rest is dropped and a message containing "last message repeated X times" is sent instead.
6.3.5.1
Conguration
In addition to the common module directives, the following can be used to congure the pm_norepeat module instance. CheckFields This optional directive takes a comma separated list of eld names which are used to compare log messages. Only the elds listed here are compared, the others are ignored. For example the EventTime eld will be different in repeating messages, so this eld should not be used in the comparison. If this directive is not specied, the default eld to be checked is Message.
6.3.5.2 Fields generated by pm_norepeat
The following elds are set by pm_norepeat: $raw_event Type string Will be set to "last message repeated X times". $Message Type string Set to the same value as $raw_event. $SeverityValue Type integer Its value will be set to 6 which is the "info" severity level. $Severity Type string The severity name of the event. $EventTime Type datetime Will be set to the time of the last event or the current time if EventTime was not present in the last event. $SourceName Type string Will be set to nxlog. $ProcessID Type integer The eld is lled with the process id of the nxlog process.
6.3.5.3 Conguration examples
6.3.6
Null (pm_null)
This module does not do any special processing, so basically it does nothing. Though the Exec and the Schedule directive is available in this module just like in any other, thus it can be quite useful. This module does not have any module specic conguration directives. See this example for usage.
6.3.7
This module makes it possible to execute pattern matching efciently using a pattern database le in XML format. Using this module is more efcient than having nxlog regular expression rules listed in Exec directives, because the pm_pattern module was designed in such a way that patterns need not to be matched linearly. In addition, the module does an automatic on-the-y pattern reordering internally for further speed improvements and it has a feature which can be used to tag messages with additional elds useful for message classication. See the Pattern matching and message classication section for additional examples. Regular expressions are the most widely used in pattern matching. Unfortunately using a large number of regular expression based patterns does not scale well, because these need to be evaluated linearly. There are other techniques such as the radix tree which solve the linearity problem, the drawback is that usually these require a special syntax for specifying patterns which users must learn. If the log message is already parsed and is not treated as single line of message, then it is possible to process only a subset of the patterns which partially solves the linearity problem. With the other performance improvement tricks employed within the pm_pattern module, its speed can compare to the other techniques such as a radix tree based pattern matcher. Yet the pm_pattern module can keep using regular expressions which all programmers and system administrators are familiar with and this also provides an easy migration of regexp patterns from other tools and already existing patterns. Traditionally pattern matching on log messages has employed a technique where the log message was one string and the pattern (regular expression or radix tree based pattern) was executed against it. To match patterns against logs which contain structured data (such as the Windows EventLog), this structured data (the elds of the log) must be converted to a single string. This is a simple but inefcient method used by many tools. The nxlog patterns dened in the XML pattern database le can contain more than one eld, this allows multi-dimensional pattern matching. Thus with nxlogs pm_pattern module there is no need to convert all elds into a single string as it can work with multiple elds. Patterns can be grouped together under pattern groups. Pattern groups serve an optimization purpose. The group can have an optional matchfield block which can check a condition. If the condtion (such as $SourceName matches sshd ) is satised, the pm_pattern module will dive into the group and check each pattern against the log. If the pattern groups condition didnt match (i.e. $SourceName wasnt sshd ), the module can thus skip all patterns in the group without having to check each pattern one by one. When the pm_pattern module nds a matching pattern, the PatternID and PatternName elds are set on the log message. These can be used later in conditional processing and correlation rules for example.
Note The pm_pattern module does not process all patterns. It exits after the rst matching pattern is found. This means that at most one pattern can match a log message. You should avoid writing a pattern to be used with pm_pattern which can match a subset of logs that match another pattern. For example if you have two regular expression patterns \d+ and \d\d , the second may be never matched because of the rst. The internal order of patterns and pattern groups is changed dynamically by pm_pattern. Those patterns are placed and tried rst which have the highest match count. Reasons for this operation mode are:  Performance optimization,  Setting the value of $PatternID would be problematic with multiple values because the language does not support arrays. If you want a strictly linearly executing mattern matcher, you should use the Exec directive and write your rules there.
6.3.7.1
Conguration
In addition to the common module directives, the following can be used to congure the pm_pattern module instance.
PatternFile This mandatory directive species the name of the pattern database le.
6.3.7.2
Pattern database le
Example 6.46 A simple pattern database This pattern database contains two patterns to match ssh authentication messages. The patterns are under a group named ssh which checks whether the eld SourceName is sshd and only tries to match the patterns if the logs are indeed from sshd. The patterns both extract AuthMethod , AccountName and SourceIP4Address from the log message when the pattern matches the log. Additionally TaxonomyStatus and TaxonomyAction are set. The second pattern utilizes the Exec block which is evaluated when the pattern matches.
Note For this pattern to work, the logs must be parsed with parse_syslog() prior to feeding it to the pm_pattern module because it uses the SourceName and Message elds.
<?xml version=1.0 encoding=UTF-8?> <patterndb> <created>2010-01-01 01:02:03</created> <version>42</version> <group> <name>ssh</name> <id>42</id> <matchfield> <name>SourceName</name> <type>exact</type> <value>sshd</value> </matchfield> <pattern> <id>1</id> <name>ssh auth success</name> <matchfield> <name>SourceName</name> <type>exact</type> <value>sshd</value> </matchfield> <matchfield> <name>Message</name> <type>regexp</type> <!-- Accepted publickey for nxlogfan from 192.168.1.1 port 4242 ssh2 --> <value>^Accepted (\S+) for (\S+) from (\S+) port \d+ ssh2</value> <capturedfield> <name>AuthMethod</name> <type>string</type> </capturedfield> <capturedfield> <name>AccountName</name> <type>string</type> </capturedfield> <capturedfield> <name>SourceIP4Address</name> <type>string</type> </capturedfield> </matchfield> <set> <field> <name>TaxonomyStatus</name> <value>success</value> <type>string</type> </field> <field> <name>TaxonomyAction</name> <value>authenticate</value> <type>string</type>
6.3.7.3
The following elds are set by pm_pattern: $PatternID Type integer Set to the id number of the pattern which matched the message. $PatternName Type string Set to the name of the pattern which matched the message.
6.3.7.4 Conguration examples
6.3.8
The pm_transformer module provides parsers for syslog (both legacy and the newer IETF standard), CSV, JSON and XML formatted data and can also convert between. This module is now obsoleted by the functions and procedures provided by the following modules: xm_syslog xm_csv xm_json xm_xml Though using this pm_transformer module can be slightly faster than calling these procedures from an Exec directive.
6.3.8.1 Conguration
In addition to the common module directives, the following can be used to congure the pm_transformer module instance. InputFormat This directive species the input format of the $raw_event eld so that it is further parsed into elds. If this directive is not specied, no parsing will be done.
syslog_rfc3164 Input is parsed in bsd syslog format as dened by RFC 3164. This does the same as the parse_syslog_bsd() procedure. syslog_bsd Same as syslog_rfc3164. syslog_rfc5424 Input is parsed in IETF syslog format as dened by RFC 5424. This does the same as the parse_syslog_ietf() procedure. syslog_ietf Same as syslog_rfc5424. CSV Input is parsed as a comma separated list of values. See xm_csv for similar functionality. The input elds must be dened dened by CSVInputFields XML Input is parsed as XML. This does the same as the parse_xml() procedure. JSON Input is parsed as JSON. This does the same as the parse_json() procedure. CSVInputFields This is a comma separated list of elds which will be lled from the input parsed. The eld names must have the dollar sign "$" prepended. CSVInputFieldTypes This optional directive species the list of types corresponding to the eld names dened in CSVInputFields. If specied, the number of types must match the number of eld names specied with CSVInputFields. If this directive is omitted, all elds will be stored as strings. This directive has no effect on the elds-to-csv conversion. OutputFormat This directive species the output transformation. If this directive is not specied, elds are not converted and $raw_event is left unmodied. syslog_rfc3164 Output in $raw_event is formatted in bsd syslog format as dened by RFC 3164. This does the same as the to_syslog_bsd() procedure. syslog_bsd Same as syslog_rfc3164. syslog_rfc5424 Output in $raw_event is formatted in IETF syslog format as dened by RFC 5424. This does the same as the to_syslog_ietf() procedure. syslog_ietf Same as syslog_rfc5424. syslog_snare Output in $raw_event is formatted in SNARE syslog format. This does the same as the to_syslog_snare() procedure. This is to be used in conjunction with the im_mseventlog or im_msvistalog module to produce an output compatible with Snare Agent for Windows. CSV Output in $raw_event is formatted as a comma separated list of values. See xm_csv for similar functionality. XML Output in $raw_event is formatted in XML. This does the same as the to_xml() procedure. JSON Output in $raw_event is formatted as JSON. This does the same as the to_json() procedure. CSVOutputFields This is a comma separated list of message elds which are placed in the CSV lines. The eld names must have the dollar sign "$" prepended.
6.3.8.2
Conguration examples
6.4
6.4.1
Output modules
Blocker (om_blocker)
This module serves testing purposes mostly. It will block log messages in order to simulate a blocked route. This can easily create a similar situation when a network transport output module such as om_tcp blocks because of a network problem. See the sleep() procedure which can delay log message output and can also help testing similar situations.
6.4.1.1
Conguration examples
6.4.2
DBI (om_dbi)
The om_dbi module utilizes the libdbi database abstraction library to enable storing logs in various database engines supported by the library such as MySQL, PostgreSQL, MSSQL, Sybase, Oracle, SQLite, Firebird. This module makes it possible to insert logs directly into an SQL database. You can specify the INSERT statement which will be executed for each log, this enables inserts into any table schema.
Note libdbi needs drivers to be able to access the database engines. These are in the libdbd-* packages on Debian and Ubuntu Linux. On Centos 5.6 there is a libdbi-drivers rpm package but this does seem to contain any driver binaries under /usr/lib64/dbd. The real driver for MySQL lives in libdbi-dbd-mysql. Same for PostgreSQL. Make sure you have these installed, otherwise you will get a libdbi driver initialization error.
Note On Windows libdbi can be compiled with cygwin only, so the binary msi package does not contain this module.
6.4.2.1
Conguration
In addition to the common module directives, the following can be used to congure the om_dbi module instance. Driver This mandatory directive species the name of the libdbi driver which will be used to connect to the database. You will need to provide a DRIVER name here for which a loadable driver module exists under the name libdbdDRIVER.so (usually under /usr/lib/dbd/). The mysql driver is in the libdbdmysql.so le. SQL This directive should specify the INSERT statement which is executed for each log message. The elds names (names with a $ sign) will be replaced with the value they contain. String types will be quoted. Option This directive can be used to specify additional driver options such as the connection parameters. The manual of the libdbi driver should contain the available options which can be used here.
6.4.2.2 Conguration examples
These two examples below are for the plain syslog elds. Depending on your requirements, you may want to store additional or other elds which were generated by parsers, regexp rules, the pm_pattern pattern matcher module or input modules. Notably the im_msvistalog and im_mseventlog modules generate different elds which you may want to store in an SQL database similarly to these examples.
Example 6.50 Storing syslog in a PostgreSQL database Below is a table schema which can be used to store syslog data.
CREATE TABLE log ( id serial, timestamp timestamp not null, hostname varchar(32) default NULL, facility varchar(10) default NULL, severity varchar(10) default NULL, application varchar(10) default NULL, message text, PRIMARY KEY (id) );
6.4.3
Program (om_exec)
This module will execute a program or script on startup and will write (pipe) the log data to the programs standard input. Unless OutputType is set to something else, only the contents of the $raw_event eld are sent over the pipe. The execution of the program or script will terminate when the module is stopped, which usually happens when nxlogs exits and the pipe is closed.
Note The program or script is started when nxlog start and must not exit until the module is stopped. To invoke a script for each log message, use xm_exec instead.
6.4.3.1
Conguration
In addition to the common module directives, the following can be used to congure the om_exec module instance. Command This directive is mandatory. It species the name of the script/program to be executed. Arg This is an optional parameter, multiple can be specied for each argument needed to pass to the Command. Note that specifying multiple arguments with one Arg directive separated with spaces will not work because the Command will receive it as one argument, so you will need to split them up. OutputType See the description about OutputType in the global module cong section.
6.4.3.2
Conguration examples
This exact same conguration is not recommended for real use because im_le was designed to read log messages from les. This example only demonstrates the use of the om_exec module.
6.4.4
File (om_le)
In addition to the common module directives, the following can be used to congure the om_le module instance. File This mandatory directive species the name of the output le to open. It must be a string type expression. Note that the lename must be quoted to be a valid string literal unlike in other directives which take a lename argument. For relative lenames you should be aware that nxlog changes its working directory to / unless the global SpoolDir is set to something else. CreateDir This optional directive takes a boolean value of TRUE or FALSE. If not specied, the default value is FALSE. If it is set to TRUE, the directory will be created if it doesnt exist before opening the le for writing. Truncate This optional directive takes a boolean value of TRUE or FALSE. If set to TRUE, the le will be truncated before each write, meaning that only the most recent log message is saved. By default this is FALSE. Sync This optional directive takes a boolean value of TRUE or FALSE. If set to TRUE, the le is synced after each log message, ensuring that it is really written to disk from the buffers. This can hurt performance, thus by default it is turned off. OutputType See the description about OutputType in the global module cong section.
6.4.4.2 6.4.4.2.1 Functions and procedures exported by om_le Functions exported by om_le
string file_name(); description Return the name of the le currently open which was specied using the File directive. Note that this will be the old name if the le name changes dynamically. If you want the new name, use the expression you specied for the File directive instead of usng this function.
return type string integer file_size(); description Return the size of the currently open output le in bytes. It will return undef if the le is not open. This can happend if File is not a string literal expression and there was no log message. return type integer
6.4.4.2.2 Procedures exported by om_le
rotate_to(string filename); description Rotate the current le to the lename specied. The module will then open the original le specied with the File directive. Note that the rename(2) system call is used internally which does not support moving les across different devices on some platforms. If this is a problem, rst rotate the le on the same device and then using the exec_async() procedure of the xm_exec module you can copy it to another device or le system or use the le_copy() procedure call provided by the xm_leop module. arguments lename type: string reopen(); description Reopen the File. This function should be called if the le has been removed or renamed e.g. with the le_cycle(), le_remove(), le_rename() functions of the xm_le module. This does not need to be called after rotate_to() because that reopens the le automatically.
6.4.4.3 Conguration examples
6.4.5
HTTP(s) (om_http)
This module will connect to the url specied in the conguration in either plain HTTP or HTTPS mode. Each event data is transferred in a single POST request. The module then waits for a response containing a successful status code (200, 201 or 202). It will reconnect and retry the delivery if the remote has closed the connection or a timeout is exceeded while waiting for the repsponse. This HTTP-level acknowledgement ensures that no messages are lost during transfer.
6.4.5.1 Conguration
In addition to the common module directives, the following can be used to congure the om_http module instance. Url This mandatory directive species the URL where the module should POST the event data. The module checks the url whether to operate in plain HTTP or HTTPS mode. It connects to the hostname specied in the url. If the port number is not explicitly indicated it defaults to 80 and 443 for HTTP and HTTPS respectively. HTTPSCertFile This species the path of the certicate le to be used in the HTTPS handshake. HTTPSCertKeyFile This species the path of the certicate key le to be used in the HTTPS handshake. HTTPSKeyPass Optional password of the certicate key le dened in HTTPSCertKeyFile. For passwordless private keys the directive is not needed. HTTPSCAFile This species the path of the certicate of the CA which will be used to check the certicate of the remote HTTPS server. HTTPSCADir This species the path of CA certicates which will be used to check the certicate of the remote HTTPS server. The cert le names in this directory must be in the OpenSSL hashed format.
HTTPSCRLFile This species the path of the certicate revocation list (CRL) which will be used to check the certicate of the remote HTTPS server. HTTPSCRLDir This species the path of certicate revocation lists (CRLs) which will be used to check the certicate of the remote HTTPS server. The le names in this directory must be in the OpenSSL hashed format. HTTPSAllowUntrusted This takes a boolean value of TRUE or FALSE and species whether the connection should be allowed without certicate verication. If set to TRUE the connection will be allowed even if the remote HTTPS server presents unknown and self-signed certicates. The default value is FALSE if this directive is not specied, meaning that the remote end must present a trusted certicate by default.
6.4.5.2 6.4.5.2.1 Functions and procedures exported by om_http Procedures exported by om_http
set_http_request_path(string path); description Sets the path in the HTTP request to the string specied. This is useful if the URL is dynamic and parameters such as event id need to be included in the URL. Note that the string must be url encoded if it contains reserved characters. arguments path type: string
6.4.5.3 Conguration examples
6.4.6
Null (om_null)
Log messages sent to the om_null module instance are discarded, this module does not write its output anywhere. It can be useful for creating a dummy route, testing purposes. It can have Scheduled nxlog code execution as well like any other module, so it is not completely useless. This module does not have any module specic conguration directives. See this example for usage.
6.4.7
TLS/SSL (om_ssl)
The om_ssl module provides an SSL/TLS transport using the OpenSSL library beneath the surface. It behaves similarly to the om_tcp module, except that an SSL handshake is performed at connection time and the data is received over a secure channel. Because log messages transferred over plain TCP can be eavasdropped or even altered with a man-in-the-middle attack, using the om_ssl module provides a secure log message transport.
6.4.7.1 Conguration
In addition to the common module directives, the following can be used to congure the om_ssl module instance. Host This species the IP address or a dns hostname where the module should connect to. Port This species the port number where the module should connect to. Reconnect This directive has been deprecated as of version 2.4. The module will try to reconnect automatically at increasing intervals on all errors. CertFile This species the path of the certicate le to be used in the SSL handshake. CertKeyFile This species the path of the certicate key le to be used in the SSL handshake. KeyPass Optional password of the certicate key le dened in CertKeyFile. For passwordless private keys the directive is not needed. CAFile This species the path of the certicate of the CA which will be used to check the certicate of the remote socket against. CADir This species the path of CA certicates which will be used to check the certicate of the remote socket against. The cert le names in this directory must be in the OpenSSL hashed format. CRLFile This species the path of the certicate revocation list (CRL) which will be used to check the certicate of the remote socket against. CRLDir This species the path of certicate revocation lists (CRLs) which will be used to check the certicate of the remote socket against. The le names in this directory must be in the OpenSSL hashed format. AllowUntrusted This takes a boolean value of TRUE or FALSE and species whether the connection should be allowed without certicate verication. If set to TRUE the connection will be allowed even if the remote server presents unknown and selfsigned certicates. The default value is FALSE if this directive is not specied, meaning that the remote end must present a trusted certicate by default. OutputType See the description about OutputType in the global module cong section.
6.4.7.2
Conguration examples
6.4.8
TCP (om_tcp)
This module initiates a TCP connection to a remote host and transfers log messages. The TCP transfer protocol provides more reliable log transmission than UDP. If security is a concern, consider using the om_ssl module instead.
6.4.8.1 Conguration
In addition to the common module directives, the following can be used to congure the om_tcp module instance. Host This mandatory directive species the IP address or a dns hostname where the module should connect to. Port This species the port number where the module should connect to. The default port is 514 if this directive is not specied. Reconnect This directive has been deprecated as of version 2.4. The module will try to reconnect automatically at increasing intervals on all errors. OutputType See the description about OutputType in the global module cong section.
6.4.8.2
Conguration examples
6.4.9
UDP (om_udp)
This module sends log messages as UDP datagrams to the address and port specied in the conguration. UDP is the transport protocol of the old BSD syslog standard as described in RFC 3164, so this module can be particularly useful to send such messages to devices or syslog daemons which do not support other transports.
6.4.9.1 Conguration
In addition to the common module directives, the following can be used to congure the om_udp module instance. Host This mandatory directive species the IP address or a dns hostname which the module will send UDP datagrams to. Port This species the port number which the module will send UDP packets to. The default port is 514 if this directive is not specied. SockBufSize This optional directive sets the socket buffer size (SO_SNDBUF) to the value specied. Otherwise the OS defaults are used. OutputType See the description about OutputType in the global module cong section.
6.4.9.2 Conguration examples
6.4.10
UDS (om_uds)
This module allows log messages to be sent to a unix domain socket. Traditionally unix systems have a socket, typically /dev/log used by the system logger to accept messages from. Applications wishing to send messages to the system log use the syslog(3) system call. nxlog can use this module to send log messages to the socket (=system logger) directly if another syslog daemon is in use.
Note This module supports SOCK_DGRAM type sockets only. SOCK_STREAM type sockets will be supported in the future.
6.4.10.1
Conguration
In addition to the common module directives, the following can be used to congure the om_uds module instance. UDS This species the path of the unix domain socket. The default is /dev/log if this is not specied. OutputType See the description about OutputType in the global module cong section.
6.4.10.2 Conguration examples
Chapter 7
The nxlog-processor tool is similar to the nxlog daemon, it uses the same conguration le. The difference is that it runs in foreground and will exit if there are no more log messages available from the input sources. The input sources are typically le and database sources. This tool is useful for ofine log processing tasks such as loading a bunch of les into a database, converting between different formats (e.g. CSV and syslog), testing patterns, doing ofine event correlation or HMAC message integrity checking. FIXME manpage and usage
Chapter 8
8.1
Operating Systems
This section provides information and examples about collecting system messages of various operating systems. OS specic applications are also discussed here. The following sources are not operating system specic but work on most supported platforms: Network Database Files External programs and scripts Multi-platform applications
8.1.1
8.1.1.1
Microsoft Windows
Windows EventLog
To collect log messages from the EventLog subsystem on Windows 2000 and 2003, use the im_mseventlog module. This will also work on later versions, but the im_msvistalog module is recommended for use on Windows 2008, Vista and later. See the im_mseventlog and im_msvistalog conguration examples.
8.1.1.2 Microsoft SQL Server
Microsoft SQL Server stores its logs in UTF-16 encoding using a line-based format. It is recommended to normalize the encoding to UTF-8. The following cong snipped will do that.
<Extension _charconv> Module xm_charconv </Extension> <Input in> Module
im_file
As of this writing, the LineBased parser, the default InputType for im_le is not able to properly read the double-byte UTF-16 encoded les and will read an additional empty line (because of the double-byte CRLF). The above drop() call is intended to x this. convert_elds(UTF-16,UTF-8); might also work instead of UCS-2LE.
8.1.1.3 Microsoft IIS
Microsoft Internet Information Server supports different log le formats. Log les created by IIS are line-based and can be read with im_le.
<Input IIS> Module im_file File C:\inetpub\logs\LogFiles\u_ex* </Input>
The above needs to be extended with appropriate parser rules if you want to parse the individual elds. See the following options depending on the format which is congured for your instance.
8.1.1.3.1 W3C Extended Log File Format
See the W3C Extended Log File Format section in the Processing messages chapter, the W3C Extended Log File Format (IIS 6.0) docs and the W3C Extended Log File Examples (IIS 6.0).
8.1.1.3.2 Microsoft IIS Format
The IIS format is line-based, elds are comma separated. It can be parsed with the help of the xm_csv module or with regular expressions.
8.1.1.3.3 NCSA Common Log File Format
See the NCSA Common Log Format section in the Processing messages chapter.
8.1.1.3.4 ODBC Logging
To read IIS logs from the ODBC datastore, use the im_odbc module.
8.1.2
GNU/Linux
Kernel logs The im_kernel module is dedicated to read the kernel log buffer. Local syslog Local syslog is sent to the unix domain socket at /dev/log. The im_uds module should be used together with xm_syslog or pm_transformer.
8.1.3
Android
Kernel logs The Linux kernel log can be read with the im_kernel module. Android device logs Android has a special in-kernel logging system. The im_android module can read this.
8.2
Network
This section provides information and examples about receiving log messages from the network over various protocols.
8.2.1
UDP
See im_udp.
8.2.2
TCP
See im_tcp.
8.2.3
See im_ssl.
8.2.4
Syslog
If you need to receive syslog over the network, the xm_syslog or pm_transformer module should be coupled with one of the network modules above. Syslog parsing is not even required if you only want to forward or store syslog as is.
8.3
Database
With special modules it is possible to read logs directly from database servers.
8.3.1
Using im_dbi
The im_dbi module can be used on POSIX systems where libdbi is available. See the im_dbi module documentation.
8.3.2
Using im_odbc
The im_odbc module can be used with ODBC compatible databases on Windows, Linux and Unix.
8.4
Files
The im_le module can be used to read logs from les. See Processing messages chapter about parsing various formats.
8.5
The im_exec module can be used to read logs from external programs and scripts over a pipe. See Processing messages chapter about parsing various formats.
8.6
Applications
This section provides information and examples about collecting log messages from various operating system independent (i.e. multi-platform) applications. Operating system applications are discussed in the previous section.
8.6.1
The Apache HTTP Server provides very comprehensive and exible logging capabilities
8.6.1.1 Error log
FIXME
8.6.1.2 Access log - Common Log Format
See the NCSA Common Log Format section in the Processing messages chapter.
8.6.1.3 Access log - Combined Log Format
See the NCSA Combined Log Format section in the Processing messages chapter.
8.6.2
Apache tomcat and java applications are very exible and can be congured for different transports and formats. Here is a log sample consisting of 3 events. The log message of the second event spans multiple lines.
2001-01-25 17:31:42,136 INFO [com.nxsec.somepackage.Class] - single line 2001-01-25 17:41:16,268 ERROR [com.nxsec.somepackage.Class] - Error retrieving names: ;  nested exception is: java.net.ConnectException: Connection refused AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException faultSubcode: faultString: java.net.ConnectException: Connection refused faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:java.net.ConnectException: Connection  refused 2001-01-25 17:57:38,469 INFO [com.nxsec.somepackage.Class] - third log message
Example 8.1 Parsing tomcat logs into elds This can be very useful to lter messages by the emitting java class for example.
<Input log4j> Module im_file File "/var/log/tomcat6/catalina.out" Exec if $raw_event =~ /^(\d{4}\-\d{2}\-\d{2} \d{2}\:\d{2}\:\d{2}),\d{3} (\S+) \[(\S+)\] \- (.*)/ \ { \ $log4j.time = parsedate($1); \ $log4j.loglevel = $2; \ $log4j.class = $3; \ $log4j.msg = $4; \ } </Input> <Output out> Module om_null </Output> <Route tomcat> Path log4j => out </Route>
To parse and process multi-line messages such as the above, see the Dealing with multi-line messages section.
8.7
Devices
This section deals with special devices such as routers, rewalls, switches and other appliances.
8.7.1
Cisco
Cisco devices can be instructed to log over syslog. Unfortunately the lousy syslog RFC standards compliance and the different formats of cisco devices make it hard to have a universal cisco syslog parser. Some examples follow.
Example 8.2 Cisco Secure Access Control Server Refer to the Conguring Syslog Logging section in the Cisco Conguration Guide. An example syslog record from a Cisco ACS device looks like the following:
<38>Oct 16 21:01:29 10.0.1.1 CisACS_02_FailedAuth 1k1fg93nk 1 0 Message-Type=Authen failed,  User-Name=John,NAS-IP-Address=10.0.1.2,AAA Server=acs01
The following conguration le instructs nxlog to accept syslog messages on UDP port 1514. The payload is parsed as syslog and then the ACS specic elds are extracted. The output is written to a le in JSON format.
<Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_udp Host 0.0.0.0 Port 1514 Exec parse_syslog_bsd(); Exec if ( $Message =~ /^CisACS_(\d\d)_(\S+) (\S+) (\d+) (\d+) (.*)$/ ) \ { \ $ACSCategoryNumber = $1; \ $ACSCategoryName = $2; \ $ACSMessageId = $3; \ $ACSTotalSegments = $4; \ $ACSSegmentNumber = $5; \ $Message = $6; \ if ( $Message =~ /Message-Type=([^\,]+)/ ) { $ACSMessageType = $1; } \ if ( $Message =~ /User-Name=([^\,]+)/ ) { $AccountName = $1; } \ if ( $Message =~ /NAS-IP-Address=([^\,]+)/ ) { $ACSNASIPAddress = $1; } \ if ( $Message =~ /AAA Server=([^\,]+)/ ) { $ACSAAAServer = $1; } \ } # else log_warning("does not match: " + to_json()); </Input> <Output out> Module om_file File "tmp/output.txt" Exec to_json(); </Output> <Route 1> Path in => out </Route>
Example 8.3 Cisco PIX and Cisco ASA The PIX Log Message Format is described in the Cisco PIX Firewall System Log Messages document. An example syslog record from a Cisco ASA device looks like the following:
<38>Oct 12 2004 22:45:15 : %ASA-2-106006: Deny inbound UDP from 10.0.1.2/137 to 10.0.1.1/137 on interface inside 
The following conguration le instructs nxlog to accept syslog messages on UDP port 1514. The payload is parsed as syslog and then the ASA/PIX specic elds are extracted. The output is written to a le in JSON format.
Note The variables can be extracted into elds with further parsing rules based on CiscoMessageNumber . See the System Log Messages for a complete list. If you intend to create parsing rules for a lot of message types, consider using the pm_pattern module.
<Extension json> Module xm_json </Extension> <Extension syslgo> Module xm_syslog </Extension> <Input in> Module im_udp Host 0.0.0.0 Port 1514 Exec parse_syslog_bsd(); Exec if ( $Message =~ /^\: \%(ASA|PIX)-(\d)-(\d\d\d\d\d\d)\: (.*)$/ ) \ { \ $CiscoSeverityNumber = $2; \ $CiscoMessageNumber = $3; \ $Message = $4; \ } \ else log_warning("does not match: " + $raw_event); </Input> <Output out> Module om_file File "tmp/output.txt" Exec to_json(); </Output> <Route 1> Path in => out </Route>
8.7.2
Checkpoint
The im_checkpoint module can collect logs from Checkpoint devices over the OPSEC LEA protocol. (Note: available in the Enterprise Edition only).
Chapter 9
Processing logs
This chapter deals with various tasks that might be required after a log message is received by nxlog.
9.1
There are a couple standard log le formats in use by various applications such as web servers, rewalls, ftp servers etc. This section tries to give a hand by providing cong snippets to parse these formats. Data is parsed and processed in multiple steps. For stream based data (e.g. les, TCP, SSL) the input module must know the log message boundary in order to be able to read each message frame. The framing depends on the format. The most common type is line-based, where each log message is separated by a linebreak. Log messages may be separated by the header only such as multi-line messages (e.g. stack and exception traces in java). So the rst step during message reception is to read the frames, i.e. the log messages. This task is done by the input reader functions which can be specied with the InputType directive. There are a couple built-in input reader functions, others may be registered by modules. There may be additional parsing involved or required after a message is read. For example when a BSD syslog message is read, the message frame is read by the LineBased input reader. Then this message may be further parsed (i.e. to extract the hostname, date, severity) by modules (such as xm_syslog) or using nxlog language constructs in the Exec directive. This will result in nxlog message elds lled with value. There may be additional processing taken place to further tokenize or parse specic eld contents (e.g. $Message) using regular expressions or the pm_pattern module.
9.1.1
See the specication draft of the format, its not all that long. The important header line is the one which starts with #Fields. Using this information you can set up a parser rule to tokenize the elds using either xm_csv (as shown in the example below), pm_transformer or using regular expressions directly (similarly to how its done in the Parsing apache logs in Combined Log Format example).
Example 9.1 Parsing the W3C Extended Log File Format using xm_csv Here is a sample log in this format which we need to parse:
#Version: 1.0 #Date: 2011-07-01 00:00:00 #Fields: date time cs-method cs-uri 2011-07-01 00:34:23 GET /foo/bar1.html 2011-07-01 12:21:16 GET /foo/bar2.html 2011-07-01 12:45:52 GET /foo/bar3.html 2011-07-01 12:57:34 GET /foo/bar4.html
The following conguration reads this le, tokenizes it with the csv parser. Header lines starting with a leading sharp (#) are ignored. The EventTime eld is constructed from the date and time elds and is converted to a datetime type. Finally the elds are output as JSON into another le.
<Extension w3c> Module xm_csv Fields $date, $time, $HTTPMethod, $HTTPURL FieldTypes string, string, string, string Delimiter   QuoteChar " EscapeControl FALSE UndefValue </Extension> <Extension json> Module xm_json </Extension> <Input in> Module im_file File "tmp/iis.log" ReadFromLast FALSE Exec if $raw_event =~ /^#/ drop(); \ else { w3c->parse_csv(); $EventTime = parsedate($date + " " + $time); } </Input> <Output out> Module om_file Exec $raw_event = to_json(); File "tmp/output.json" </Output> <Route 1> Path in => out </Route>
\ \ \ \
9.1.2
FIXME
9.1.3
Example 9.2 Parsing apache logs in Combined Log Format The following conguration shows an example for ltering access logs and only storing those related to the user john:
<Input access_log> Module im_file File "/var/log/apache2/access.log" Exec if $raw_event =~ /^(\S+) (\S+) (\S+) \[([^\]]+)\] \"(\S+) (.+) HTTP.\d\.\d  \" (\d+) (\d+) \"([^\"]+)\" \"([^\"]+)\"/\ { \ $Hostname = $1; \ if $3 != - $AccountName = $3; \ $EventTime = parsedate($4); \ $HTTPMethod = $5; \ $HTTPURL = $6; \ $HTTPResponseStatus = $7; \ $FileSize = $8; \ $HTTPReferer = $9; \ $HTTPUserAgent = $10; \ } </Input> <Output out> Module om_file File /var/log/john_access.log Exec if not (defined($AccountName) and ($AccountName == john)) drop(); </Output> <Route apache> Path access_log => out </Route>
9.1.4
FIXME
9.1.5
Comma, space, semicolon separated eld list is a frequently used format. See the xm_csv and/or pm_transformer modules.
9.1.6
JSON
9.1.7
XML
9.2
The parsedate() function can be used to efciently parse strings representing a date. See the Parsing apache logs in Combined Log Format example for sample usage.
The following formats are supported by parsedate: RFC 3164 date Legacy syslog messages contain the date in this format which lacks the year. Example:
Sun 6 Nov 08:49:37
Unfortunately there are some deviations in some implementations, so the following are also recognized:
Sun 06 Nov 08:49:37 Sun 6 Nov 08:49:37
RFC 1123 RFC 1123 compliant dates are also supported, including a couple others which are similar such as those dened in RFC 822, RFC 850 and RFC 1036. Here is the concrete list:
Sun, 06 Nov 1994 08:49:37 GMT Sunday, 06-Nov-94 08:49:37 GMT Sun Nov 6 08:49:37 1994 Sun, 6 Nov 1994 08:49:37 GMT Sun, 06 Nov 94 08:49:37 GMT Sun, 6 Nov 94 08:49:37 GMT Sun, 6 Nov 94 08:49:37 GMT Sun, 06 Nov 94 08:49 GMT Sun, 6 Nov 94 08:49 GMT Sun, 06 Nov 94 8:49:37 GMT Sun, 6 Nov 94 8:49:37 GMT Mon, 7 Jan 2002 07:21:22 GMT Sun, 06-Nov-1994 08:49:37 GMT ; ; ; ; ; ; ; ; ; ; ; ; ; RFC 822, updated by RFC 1123 RFC 850, obsoleted by RFC 1036 ANSI Cs asctime() format RFC 822, updated by RFC 1123 RFC 822 RFC 822 RFC 822 Unknown Unknown Unknown [Elm 70.85] Unknown [Elm 70.85] Unknown [Postfix] RFC 850 with four digit years
The above formats are recognized even without the leading day of week and without a timezone. Apache/NCSA date This format can be found in Apache access logs (NCSA Combined Log Format) and possibly other sources. Example:
24/Aug/2009:16:08:57 +0200
ISO and RFC 3339 date nxlog can parse the ISO format with or without subsecond resolution, and with or without timezone information. It accepts either a comma (,) or a dot (.) in case there is sub-second resolution. Examples:
1977-09-06 01:02:03 1977-09-06 01:02:03.004 1977-09-06T01:02:03.004Z 1977-09-06T01:02:03.004+02:00 2011-5-29 0:3:21 2011-5-29 0:3:21+02:00 2011-5-29 0:3:21.004 2011-5-29 0:3:21.004+02:00
CISCO syslog date This is an RFC 3164 format with millisecond precision. Example:
Nov 3 14:50:30.403 Nov 3 14:50:30.403 Nov 03 14:50:30.403
Dates without timezone information are treated as local time. The year will be set to 1970 for dates missing the year such as in the RFC 3164 date format. Use the x_year() function to correct the year in such cases. The parsedate() function returns an undened datetime type. You should take care of checking the return value for errors as in the example below. Example 9.3 Using the parsedate() function Since our regular expression is quite vague, it may match strings which are invalid. In this case parsedate() will return an undened datetime value.
$raw_event = "2020-02-03 04:05:06 ......"; if $raw_event =~ /^(\S+)\s+(\S+)/ { $EventTime = parsedate($1 + " " + $2); } # making sure $EventTime doesnt stay empty if not defined($EventTime) $EventTime = now();
If the above doesnt cut it, there is also strptime() to parse more exotic formats. Example 9.4 Parsing date and time from Exchange logs The following example is from an Exchange log. The date and time are delimited by a tab (i.e. they are two distinct elds). Also it uses a non standard single digit format instead of xed width with double digits:
2011-5-29 0:3:2 GMT ...
9.3
Filtering messages
Message ltering is a process where only a subset of the messages is let through. Filtering is possible using regular expressions or other operators using any of the elds.
9.3.1
Using drop()
File "/var/log/myapp/errors.txt" </Output> <Route 1> Path file => => out </Route>
9.3.2
The other option is to use the pm_lter module as in the following example:
<Input unix> Module im_uds uds /dev/log </Input> <Processor filter> Module pm_filter Condition $raw_event =~ /failed/ or $raw_event =~ /error/ </Processor> <Output out> Module om_file File "/var/log/error" </Output> <Route 1> Path unix => filter => out </Route>
9.4
9.4.1
This example uses regular expressions and module variables to concatenate lines belonging to a single event.
Unfortunately this solution has a minor aw. The log message of an event is only forwarded if a new log is read, otherwise it is kept in the saved variable indenitely.
9.4.2
Using xm_multiline
There is a dedicated extension module xm_multiline which makes it easier to deal with multi-line messages without the need to use module variables and write complex rules.
9.5
There are a couple ways to invoke external scripts and pass data to them.
9.5.1
Using the om_exec module, all messages can be piped to an external program or script which should be running until the module (or nxlog) is stopped.
9.5.2
The xm_exec module provides two procedure calls, exec() and exec_async(), to spawn an external script or program. See this le rotation example where bzip is executed to compress a logle.
9.5.3
Alerting
Alerting is a process when a notication message is triggered if a certain condition is satised. Alerting can be implemented using one of the previous two modules. When using om_exec, the alerting script will receive all messages. The following example shows how to send an email using xm_exec when a regexp condition is met:
<Extension exec> Module xm_exec </Extension> <Input in> Module im_tcp Host 0.0.0.0 Port 1514 Exec if $raw_event =~ /alertcondition/ {
\ exec_async("/bin/sh", "-c", echo " + $Hostname + \n\nRawEvent:\n + $raw_event + \ "|/usr/bin/mail -a "Content-Type: text/plain; charset=UTF-8" -s "ALERT" \ + user@domain.com ); \ } </Input> <Output out> Module om_file File "/var/log/messages" </Output> <Route r> Path in => out </Route>
9.6
There are many ways to modify log messages. A simple method which does not always work is to modify the $raw_event eld (in case of syslog) without parsing the message. This can be done with regular expressions using capturing, for example:
if $raw_event =~ /^(aaaa)(replaceME)(.+)/ $raw_event = $1 + replaceMENT + $3;
The more complex method is to parse the message into elds, modify some elds and nally reconstruct the message from the elds. The conditional rewrite of the syslog facility example shows such a syslog message modication method.
9.7
To convert between CSV formats, see this example. The following example shows an nxlog conguration which receives IETF syslog over UDP and forwards in the old BSD syslog format over TCP:
<Extension syslog> Module xm_syslog </Extension> <Input in> Module im_udp Port 514 Host 0.0.0.0 Exec parse_syslog_ietf(); to_syslog_bsd(); </Input> <Output out> Module om_tcp Host 1.2.3.4 Port 1514 </Output> <Route 1> Path in => out </Route>
Take a look at the pm_transformer module which can do format conversion. The requirements and possibilities for format conversion are endless. It is possible to do this using the nxlog language, dedicated modules, functions and procedures. For special cases a processor or extension module can be crafted to achieve this.
9.8
It is recommended to normalize logs to UTF-8. Even if you dont, there may be cases where you need to convert a string (a eld) or the whole message to another character set. See th xm_charconv module which adds support for character set conversion.
9.9
Discarding messages
See the drop() procedure which can be invoked conditionally in the Exec directive. The Filtering messages section shows an example for using drop(). There is also om_null which could work in some situations.
9.10
Rate limiting
The poor mans tool for rate limiting is the sleep() procedure.
Example 9.6 Using sleep for rate limiting In the following example sleep is invoked with 500 microseconds. This means that the input module will be able to read at most 2000 messages per second.
<Input in> Module im_tcp Host 0.0.0.0 Port 1514 Exec sleep(500); </Input> <Output out> Module om_null </Output> <Route r> Path in => out </Route>
While this is not very precise because the module can do additional processing which can add some to the total execution time, it gets fairly close.
Note Be careful if you are planning to add rate limiting to a route which reads logs over UDP.
9.11
Buffering
Each input module has its own read buffer which is used to ll with data during a read on a socket or le. Each processor and output has a limited queue where the log messages are put by the preceeding module in the route. The default limit for these internal queues is 100. Nevertheless, for buffering bigger amount of data, the pm_buffer module can do disk and memory based buffering.
9.12
Pattern matching is commonly used for message classication. When certain strings are detected in a log message, the message gets tagged with classiers. Thus it is possible to query or take action on these type of messages via the classier only.
9.12.1
The rst option is to use the =~ operator in an Exec directive. The following code snippet shows an example for message classication. Example 9.7 Regular expression based message classication When the contents of the Message eld match against the regular expression, the AccountName and AccountID elds are lled with the appropriate values from the referenced captured substrings. Additionally the value LoginEvent is stored in the Action eld.
if $Message =~ /^pam_unix\(sshd:session\): session opened for user (\S+) by \(uid=(\d+)\)/ { $AccountName = $1; $AccountID = integer($2); $Action = LoginEvent; } 
9.12.2
Using pm_pattern
When there are a lot of patterns, writing these in the conguration le will make it bloated, ugly and is not as efcient as using the pm_pattern module. The above pattern matching rule can be dened in pm_patterns XML format the following way which will accomplish the same.
<pattern> <id>42</id> <name>ssh_pam_session_opened</name> <description>ssh pam session opened</description> <matchfield> <name>Message</name> <type>REGEXP</type> <value>^pam_unix\(sshd:session\): session opened for user (\S+) by \(uid=(\d+)\)</  value> <capturedfield> <name>AccountName</name> <type>STRING</type> </capturedfield> <capturedfield> <name>AccountID</name> <type>INTEGER</type> </capturedfield> </matchfield> <set> <field> <name>Action</name> <type>STRING</type> <value>LoginEvent</value> </field> </set> </pattern>
9.13
Event correlation
It is possible to write correlation rules in the nxlog language using the builtin features such as the variables and statistical counters. While these are quite powerful, some cases cannot be detected with these, escpecially thoses conditions which require a sliding window. A dedicated nxlog module, pm_evcorr is available for advanced correlation requirements. It has similar features as SEC and greatly enhances the correlation capabilites of nxlog.
9.14
nxlog makes it possible to implement custom log rotation and retention policies for les written by nxlog and les written by other sources. The om_le and xm_leop modules export various procedures which can be used for this purpose: rotate_to reopen le_cycle le_rename le_remove le_copy le_truncate Should these native language construct be insufcient, it is always possible to call an exeternal script or program.
Example 9.8 Rotation of the internal LogFile This example shows how to rotate the internal logle based on time and size.
#define LOGFILE C:\Program Files\nxlog\data\nxlog.log define LOGFILE /var/log/nxlog/nxlog.log <Extension fileop> Module xm_fileop # Check the size of our log file every hour and rotate if it is larger than 1Mb <Schedule> Every 1 hour Exec if (file_size(%LOGFILE%) >= 1M) file_cycle(%LOGFILE%, 2); </Schedule> # Rotate our log file every week on sunday at midnight <Schedule> When @weekly Exec file_cycle(%LOGFILE%, 2); </Schedule> </Extension>
9.15
Explicit drop
nxlog does not drop messages voluntarily. The built-in ow control mechanism ensures that the input modules will pause until the output modules can write. This can be problematic in some situations when it is preferable to drop messages than to block. The following example illustrates the use of the drop() procedure used in conjunction with pm_buffer. Example 9.10 Explicitly dropping messages when the network module is blocked In the following conguration we use two routes which send the input read from the UDP socket to two outputs, a le and a TCP destination. Without this setup when the TCP connection can transmit slower than the rate of incoming UDP packets or the TCP connetion is down, the whole chain (both routes) would be blocked which would result in dropped UDP packets. In this situation it is preferable to only drop log messages in the tcp route. In this route a pm_buffer module is used and the size of the buffer is checked. If the buffer size goes over a certain limit we assume that the TCP output is blocked (or sending too slow) and instruct to drop log messages using the drop() procedure. This way the UDP input will not get paused and all messages will be written to the output le regardless of the state of the TCP connection.
<Processor buffer> Module pm_buffer WarnLimit 800 MaxSize 1000 Type Mem Exec if buffer_size() >= 80k drop(); </Processor> <Input udpin> Module im_udp Host 0.0.0.0 Port 1514 </Input> <Output tcpout> Module om_tcp Host 192.168.1.1 Port 1515 </Output> <Output fileout> Module om_file File out.txt </Output> <Route tcp> Path udpin => buffer => tcpout </Route> <Route file> Path udpin => fileout </Route>
Chapter 10
10.1
In addition to the transport protocol, the data format is an important factor. If the remote receiver cannot parse the message, it will likely discard or it may be just improperly processed. Syslog There are two formats, the older BSD Syslog and the newer IETF syslog format as dened by RFC 3164 and RFC 5424. The transport protocol in syslog can be UDP, TCP or SSL. See the xm_syslog module about formatting and sending syslog messages to remote hosts over the network. Syslog SNARE The SNARE agent format is a special format on top of BSD Syslog which is used and understood by several tools and log analyzer frontends. This format is most useful when forwaring Windows EventLog data, i.e. in conjunction with im_mseventlog and/or im_msvistalog. The to_syslog_snare procedure call can construct SNARE syslog formatted messages. The following example shows a conguration for reading the windows eventlog and forwarding it over UDP in the SNARE Agent format. Example 10.1 Forwarding EventLogs from a windows machine to a remote host in the SNARE Agent format
<Extension syslog> Module xm_syslog </Extension> <Input in> Module </Input> <Output out> Module Host Port Exec </Output> <Route 1> Path </Route>
im_msvistalog
in => out
NXLOG Binary format The binary format is only understood by nxlog. All the elds are preserved when the data is sent in this format so there is no need to parse it again. You need to add this to the output module:
OutputType
Binary
CSV To send logs in CSV, use the xm_csv or the pm_transformer module. Graylog Extended Log Format (GELF) The xm_gelf module can be used to generate GELF output. JSON See the xm_json module docs about generating JSON output. BSON The BSON output format is currently unsupported. Support is planned and should be available in an upcoming nxlog release. XML See the xm_xml module docs about generating XML output.
10.2
The following network protocols can be used. There is a trade-off between speed, reliablilty, compatibility and security. UDP To send logs in UDP packets, use the om_udp module. TCP To send logs over TCP, use the om_tcp module. SSL/TLS To send logs over a trusted secure SSL connection, use the om_ssl module.
10.3
Files To store logs in local les, use the om_le module. Piping to an external script or program To send logs to an external program or script, use the om_exec module. Unix Domain Socket To send logs to a unix domain socket, use the om_uds module.
10.4
The om_dbi module can be used to store logs in databases which are supported by the libdbi database abstraction library. This is only supported on POSIX platforms and is not available on Windows.
Chapter 11
11.1
It is a common requirement to be able to detect conditions when there are no log messages coming from a source. This usually indicates a problem with the log source, such as a broken network connection, server down or an application/system service is stuck. Usually this problem should be detected by monitoring tools (nagios, openview etc), but the absence of logs can be also a good reason to investigate such a situation.
Note The im_mark module exists for a similar purpose. It can emit messages periodically in order to show that the system logger is not suffering problems.
The solution to this problem is the combined use of statistical counters and Scheduled checks. The input module can update a statistical counter congured to calculate events per hour for example. In the same input module a Schedule block is dened which checks the value of the statistical counter periodically. When the event rate is zero or drops below a certain limit, an appropriate action can be executed such as sending out an alert email or generating an internal warning message. Note that probably there are other ways to solve this issue and this method might not be the optimal for all situations.
Example 11.1 Alerting on absence of log messages The following conguration example creates a statistical counter in the context of the im_tcp module to calculate the number of events received per hour. The Schedule block within the context of the same module checks the value of the "msgrate" statistical counter and generates an internal error message when there were no logs received in the past hour.
<Input in> Module im_tcp Port 2345 Exec create_stat("msgrate", "RATE", 3600); add_stat("msgrate", 1); <Schedule> Every 3600 sec Exec create_stat("msgrate", "RATE", 10); add_stat("msgrate", 0); Exec if defined get_stat("msgrate") and get_stat("msgrate") <= 1 \ { \ log_error("No messages received from the source!"); \ } </Schedule> </Input> <Output out> Module om_file File "tmp/output" </Output> <Route 1> Path in => out </Route>
Chapter 12
Troubleshooting
According to Murphy, anything that can go wrong will go wrong. This chapter is to help diagnosing problems, be that conguration errors or possible bugs.
12.1
While nxlog is a tool to handle logs from external sources, it can and will emit logs about its own operations. These are essential to troubleshoot problems.
12.1.1
nxlog will log important events including errors and warnings into its logle. So the rst place to look for errors is the LogFile. If this directive is not specied in the conguration, you should add it.
Note Some windows applications (e.g. wordpad) cannot open the logle while nxlog is running because of exclusive le locking. Use a text le viewer which does not lock the le (e.g. notepad).
12.1.2
Internal logs can be read as a log source with the im_internal module. This makes it possible to forward the internal logs over the network for example.
Note This method will not work if the route which im_internal is part of is not functional. Logging with LogFile is more fault-tolerant and this is the recommended way for troubleshooting.
12.1.3
LogLevel
Internal logs are emitted only on LogLevel of INFO and above. It is possible to get detailed information about what nxlog is doing by setting LogLevel to DEBUG. This can produce an extreme amount of logs, it is recommended to enable this only for troubleshooting.
12.1.4
Running in foreground
When nxlog is running in foreground, it will emit logs to STDOUT and STDERR so the logs will be visible in the running terminal. This is the same log which is written to the LogFile. It can be started to run in foreground with nxlog -f.
12.1.5
Internal logs can be emitted from the conguration via the log_info() procedure call in the Exec directive. This can be extremely useful to print and debug message contents. Consider the following example:
<Input in> Module im_udp Port 514 Exec if $raw_event =~ /keyword/ log_info("FOUND KEYWORD IN MSG: [" + $raw_event + "]"); </Input>
Anything which is printed with the log_info() and family of procedure calls will appear in LogFile, on the STDOUT/STDERR of nxlog in foreground mode and wil be emitted by im_internal.
12.2
Common problems
This section will list a couple problems which you are likely to run into.
12.2.1
Missing logdata
As discussed in the architecture chapter, logs are received by input modules, forwarded to the processor modules and nally handled by the output modules. When these modules handle a log message, the Exec directive is evaluated. There are a few situations when such statements can be evaluated but the required log is not available in the current context. When the so called logdata is not available in the current context, any dependent operation will fail and the evaluation of the Exec code will terminate. Most notably these operations are eld assignments and function or procedure calls which access elds such as convert_elds(). Consider the following example. Example 12.1 Assignment after drop() In this example the message is conditionally dropped. When the $raw_event eld matches the keyword, the drop() operation is invoked which discards the log completely. If a subsequent statement follows which accesses the log, it will fail.
<Input in> Module im_udp Port 514 Exec if $raw_event =~ /keyword/ drop(); $EventTime = now(); </Input>
The following cong snippet xes the above error by correctly using conditional statements.
<Input in> Module im_udp Port 514 Exec if $raw_event =~ /keyword/ drop(); else $EventTime = now(); </Input>
\ \ \
Accessing a eld or calling a procedure/function which needs the logdata after the drop() procedure. Accessing a eld or calling a procedure/function which needs the logdata from the Exec directive of a Schedule block. Since this sche
12.2.2
You may receive this error message in nxlog.log when nxlog fails to start:
nxlog failed to start: Invalid keyword: # at C:\Program Files (x86)\nxlog\conf\nxlog.conf  :1
Some text editors may save the conguration le in UTF-16 or in UTF-8 with a BOM header. The conguration le must be encoded in ASCII or plain UTF-8, otherwise you will get this error. On windows using notepad.exe should work properly.
12.2.3
You may receive this error message on Windows when trying to open the logle (usually nxlog.log) with a text editor which uses exclusive locking. You can only open the log after nxlog is stopped. By using a text viewer or text editor which does not use exclusive locking (such as notepad.exe), you can open the logle without the need to stop nxlog.
12.2.4
Make sure that you have no rewall blocking the connection. The interface address or the hostname which resolves to the interface address must be accessible from the outside. See the Host directive of im_tcp.
12.3
When creating complex processing rules and congurations, you will most likely run into a problem and need to debug the stream of event log messages to see what has been received/read by the input(s), whether some required eld exists and what its value is, if the parser is working correctly and populating the elds as it should, all the elds and their values contained in the event log after parsing. The following conguration snippets show some examples how this can be done.
Example 12.2 Writing the values of elds to an external le The le_write() procedure provided by the xm_leop module can be used to dump information into an external le.
<Extension fileop> Module xm_fileop </Extension> <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_tcp Host 0.0.0.0 Port 1514 Exec parse_syslog_bsd(); # Debug SyslogSeverity and Hostname fields Exec file_write("/tmp/debug.txt", "Severity: " + $SyslogSeverity + ", Hostname: " + $Hostname); </Input> <Output out> Module </Output> <Route r> Path </Route>
om_null
in => out
Example 12.3 Writing the values of elds to the internal log Using the log_info procedure the values can be sent to the internal log. This will be visible in the le dened with the LogFile global directive, in the input from the im_internal module and on standard output when running nxlog in foreground with the -f command line switch.
<Extension syslog> Module xm_syslog </Extension> <Input in> Module im_tcp Host 0.0.0.0 Port 1514 Exec parse_syslog_bsd(); # Debug SyslogSeverity and Hostname fields Exec log_info("Severity: " + $SyslogSeverity + ", Hostname: " + $Hostname); </Input> <Output out> Module </Output> <Route r> Path </Route>
om_null
in => out
Example 12.4 Dumping all the elds Using the to_json procedure provided by the xm_json module, all the elds can be dumped. If you prefer, you can use the to_xml procedure provided by the xm_xml module.
<Extension syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> <Input in> Module im_tcp Host 0.0.0.0 Port 1514 Exec parse_syslog_bsd(); # Dump $raw_event Exec log_info("raw event is: " + $raw_event); # Dump fields in JSON Exec log_info("Other fields are: " + to_json()); </Input> <Output out> Module </Output> <Route r> Path </Route>
om_null
in => out
In some cases nxlog is already receiving some invalid data it cannot grok. To verify that indeed this is the case, use a network trafc analyzer such as wireshark or tcpdump.