NXlog 输入过滤器
NXlog Input Filter
我想从转发到我的 SIEM 服务器中删除某个 dnslog 行..
我希望删除的日志行是带有 "sophosxl" 查询的日志行。我尝试了下面的 nxlog 配置,但它不起作用..
请帮忙...谢谢
我的示例日志文件:
3/2/2018 6:47:04 PM 0D84 PACKET 000000C1FF664DD0 UDP Rcv 10.5.102.203 4140 Q [0001 D NOERROR] A (4)win8(4)ipv6(9)microsoft(3)com(0)
3/2/2018 6:47:04 PM 0D84 PACKET 000000C1FF703080 UDP Rcv 192.164.47.70 1035 Q [0001 D NOERROR] A (2)go(9)microsoft(3)com(0)
3/2/2018 6:47:04 PM 0D84 PACKET 000000C1FF7070A0 UDP Rcv 10.51.51.56 a55d Q [0001 D NOERROR] A (1)4(8)sophosxl(3)net(0)
3/2/2018 6:47:04 PM 0D84 PACKET 000000C1FF705090 UDP Rcv 192.164.33.37 a4c1 Q [0001 D NOERROR] A (12)filedownload(6)lenovo(3)com(0)
NXLOG_CONFIG
<Input dns>
Module im_file
File "C:\dns.log"
SavePos TRUE
#InputType multilineEmtpyLine
ReadFromLast TRUE
Exec if ($raw_event == '') drop();
Exec if ($message =~ /sophosxl/) drop();
PollInterval 1
Exec $Message = $raw_event;
# $SyslogFacilityValue = 22;
</Input>
im_file 将数据读入 $raw_event 字段,因此您需要使用它:
Exec if ($raw_event =~ /sophosxl/) drop();
我想从转发到我的 SIEM 服务器中删除某个 dnslog 行..
我希望删除的日志行是带有 "sophosxl" 查询的日志行。我尝试了下面的 nxlog 配置,但它不起作用..
请帮忙...谢谢
我的示例日志文件:
3/2/2018 6:47:04 PM 0D84 PACKET 000000C1FF664DD0 UDP Rcv 10.5.102.203 4140 Q [0001 D NOERROR] A (4)win8(4)ipv6(9)microsoft(3)com(0)
3/2/2018 6:47:04 PM 0D84 PACKET 000000C1FF703080 UDP Rcv 192.164.47.70 1035 Q [0001 D NOERROR] A (2)go(9)microsoft(3)com(0)
3/2/2018 6:47:04 PM 0D84 PACKET 000000C1FF7070A0 UDP Rcv 10.51.51.56 a55d Q [0001 D NOERROR] A (1)4(8)sophosxl(3)net(0)
3/2/2018 6:47:04 PM 0D84 PACKET 000000C1FF705090 UDP Rcv 192.164.33.37 a4c1 Q [0001 D NOERROR] A (12)filedownload(6)lenovo(3)com(0)
NXLOG_CONFIG
<Input dns>
Module im_file
File "C:\dns.log"
SavePos TRUE
#InputType multilineEmtpyLine
ReadFromLast TRUE
Exec if ($raw_event == '') drop();
Exec if ($message =~ /sophosxl/) drop();
PollInterval 1
Exec $Message = $raw_event;
# $SyslogFacilityValue = 22;
</Input>
im_file 将数据读入 $raw_event 字段,因此您需要使用它:
Exec if ($raw_event =~ /sophosxl/) drop();