Scott,
You need to do that on $Message before or on $raw_event after
to_syslog_ietf().
There is also replace().
Regards,
Botond
On Thu, 18 Sep 2014 08:43:45 -0600
Scott H <scott.harps...@gmail.com> wrote:
> That didn't seem to work, i cant get it to work. Here is an example of an
> output message:
> An account was logged off. Subject: #011Security
> ID:#011#011S-1-5-21-1859942413-378948228-1707219080-500 #011Account
> Name:#011#011UsernameHere #011Account Domain:#011#011DB #011Logon
> ID:#011#0110x434aea2 Logon Type:#011#011#0113 This event is generated when
> a logon session is destroyed. It may be positively correlated with a logon
> event using the Logon ID value. Logon IDs are only unique between reboots
> on the same computer.#015
>
> Here is my new config:
> define ROOT C:\Program Files (x86)\nxlog
>
> Moduledir %ROOT%\modules
> CacheDir %ROOT%\data
> Pidfile %ROOT%\data\nxlog.pid
> SpoolDir %ROOT%\data
> LogFile %ROOT%\data\nxlog.log
>
> <Extension syslog>
> Module xm_syslog
> </Extension>
> <Extension exec>
> Module xm_exec
> </Extension>
> <Input internal>
> Module im_internal
> </Input>
> <Input eventlog>
> Module im_msvistalog
> </Input>
>
> <Processor norepeat>
> Module pm_norepeat
> CheckFields Hostname, SourceName, Message
> </Processor>
>
> <Output out>
> Module om_tcp
> Host x.x.x.x
> port 514
> Exec if $raw_event =~ s/#011//g {};
> Exec if $raw_event =~ s/#015//g {};
> Exec to_syslog_ietf();
> </Output>
> <Route 1>
> Path internal, eventlog => norepeat => out
> </Route>
>
>
>
> On Thu, Sep 18, 2014 at 8:17 AM, Cyril SANTUNE <cyril.sant...@gmail.com>
> wrote:
>
> > Do you mean a tabulation char ?
> >
> > If so, you can use this following command before "Exec
> > to_syslog_ietf();" to replace tabulation by space.
> > Exec if $raw_event =~ s/\t/ /g {}
> >
> > Regards,
> > Cyril
> >
> > On Wed, Sep 17, 2014 at 8:46 PM, Scott H <scott.harps...@gmail.com> wrote:
> > > Does nxlog have a way to remove these before pushing out to my syslog
> > > server. My syslog can remove them but wanted to know if i could it on the
> > > senders side.
> > >
> > > Here is my config.
> > > <Extension syslog>
> > > Module xm_syslog
> > > </Extension>
> > >
> > > <Input internal>
> > > Module im_internal
> > > </Input>
> > > <Input eventlog>
> > > Module im_msvistalog
> > > </Input>
> > >
> > > <Processor norepeat>
> > > Module pm_norepeat
> > > CheckFields Hostname, SourceName, Message
> > > </Processor>
> > >
> > > <Output out>
> > > Module om_tcp
> > > Host x.x.x.x
> > > port 514
> > > Exec to_syslog_ietf();
> > > </Output>
> > > <Route 1>
> > > Path internal, eventlog => norepeat => out
> > > </Route>
> > >
> > >
> > ------------------------------------------------------------------------------
> > > Want excitement?
> > > Manually upgrade your production database.
> > > When you want reliability, choose Perforce
> > > Perforce version control. Predictably reliable.
> > >
> > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> > > _______________________________________________
> > > nxlog-ce-users mailing list
> > > nxlog-ce-users@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
> > >
> >
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
