Hello!
I’m working on some NXLog content for C3 Inventory and wanted to share the configs i’ve got for the Agent and Relay services (and maybe someone has a better one!).
The goal with these is to forward the agent and relay logs to an event aggregator.
BigFix Relay Log Parsing
<Input bigfix_relay>
Module im_file
File "{concatenation "\\" of substrings separated by "\" of pathname of file "logfile.txt" of parent folder of file of relay service}"
SavePos TRUE
Exec if $raw_event == '' drop();
Exec if $raw_event =~ /^([a-zA-Z]{{3}, \d\d [a-zA-Z]{{3} \d\d\d\d \d\d:\d\d:\d\d) -\d\d\d\d - (.*)/ {{ \
$EventTime = parsedate($1); $timestamp = $EventTime; $raw_event = $2; \
}
</Input>
<Route bigfix_relay>
Path bigfix_relay => out
</Route>
<Extension dicom-multi>
Module xm_multiline
HeaderLine /^At \d\d:\d\d:\d\d -\d\d\d\d - /
</Extension>
BigFix Client Log Parsing
<Input bigfix_client>
Module im_file
File "{concatenations "\\" of substrings separated by "\" of pathname of data folder of client}\\__Global\\Logs\\" + strftime(now(),"%Y%m%d") + ".log"
SavePos TRUE
ReadFromLast FALSE
InputType dicom-multi
PollInterval 3
Exec if $raw_event == '' drop();
Exec if $raw_event =~ /^At (\d\d):(\d\d):(\d\d) -(\d\d\d\d) -(.*)/s {{ \
$EventTime = parsedate(strftime(now(),"%Y-%m-%d") + " " + $1 + ":" + $2 + ":" + $3); $timestamp = $EventTime; $raw_event = $5; \
}
</Input>
<Route bigfix_client>
Path bigfix_client => out
</Route>
Note: I’m using BigFix to push out these configs so there is some relevance substitution in here specifically for the path to the log files. This will not work if you just copy it into your NXLog config.
Let me know if you’ve got something better!
Bill