Hello all,
I am currently having an issue in ArcSight with the way nxlog is sending
the date in snare formatted logs. The format that is being sent is "Mon Mar
2 11:13:34 2015" when the expected format should be "Mon Mar 02 11:13:34
2015". The format that is being sent is replacing the "0" on a single digit
day with a space causing a double space. Since the parser is expecting two
digit days this causing an issue with log parsing between the 1-9 of each
month. Not sure if there is anything wrong with my config or not. If anyone
else is having or has had this issue please let me know if a fix is
available.
Below is a sample of my config for the latest agent nxlog-ce.2.8.1248.
<Extension syslog>
Module xm_syslog
</Extension>
<Input eventlog>
Module im_msvistalog
ReadFromLast True
Query <QueryList>\
<Query Id="0" Path="Security">\
<Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or
Level=4 or Level=0)]]</Select>\
</Query>\
</QueryList>
</Input>
<Output out>
Module om_tcp
Host XX.XX.XX.XX
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path eventlog => out
</Route>
Thanks.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
