Hi Botond,
I entirely renovated the idea with another entry . Now the entry don't have new
line (\n). But still don't write in the output with raw_event and file_write.
In file_write I put the "otro" file.
Do you know it can be?
Module x
I used the file_write function in the config file but nothing appears in
/home/antonio/Descargas/otro. I leave as I left the modules and if you had time
you could write well.
> Date: Fri, 13 May 2016 13:27:11 +0200
> From: b...@nxlog.org
> To: antoniocuest...@hotmail.com
> CC: nxlog-ce-users@lis
Hi,
If you don't need the original log you can either use drop() or send to
om_null.
To save the alerts you should add another route with im_internal =>
om_file or use file_write() instead of log_info().
Regards,
Botond
On Fri, 13 May 2016 13:09:24 +0200
Antonio Cuesta García wrote:
>
> Hi,
Antonio,
You will need to parse the IP address first:
Exec if $Message =~ /^\d{2}\\\d{2}-\d{2}:\d{2}:\d{2}\.\d+
((?:\d{1,3}\.){3}\d{1,3})/ $IP = $1;
The $IP field can (should) be used as the context in the Thresholded rule:
Condition ...
Threshold 3
Hi Jason,
The im_file module uses LineBased input by default meaning that it will
only put a complete line in $raw_event.
In this particular case the error is valid as the input has less fields
than expected:
> Not enough fields in CSV input, expected 21, got 17 in input '
> MSFTPSVC1 SRV-FTP-0
Hi,
Since your input has linebreaks you might want to use the /ms modifiers,
see here:
https://nxlog.org/docs/en/nxlog-reference-manual.html#lang_binop_regmatch
Regards,
Botond
On Fri, 13 May 2016 01:45:56 +0200
Antonio Cuesta García wrote:
> Hi!
>
> This regular expresión: ^\d{2}\/\d{2}-\d{2
