First question here... I'm struggling with nxlog that behaves strangely: some logs doesn't enter my rsyslog fromhost-ip filtering rules when other work neatly, with the exact same config file, and fall down on the user.log file...
For what I have seen with tcpdump, it seems that the erroneous logs arrive already with some USER.NOTICE tag :
And even more, from the same machine, some logs arrive with the tag and some other without...
Can you give me some tracks to troubleshoot that?
here is the nxlog.conf:
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
# Snare compatible example configuration
# Collecting event log
<Input in>
Module im_msvistalog
</Input>
#
# Converting events to Snare format and sending them out over TCP syslog
<Output out>
Module om_udp
Host SYSLOG_IP
Port 514
Exec to_syslog_snare();
</Output>
# Connect input 'in' to output 'out'
<Route 1>
Path in => out
</Route>
Thanks in advance!