108.11. GELF (xm_gelf)
This module provides reader and writer functions which can be used for processing log data in the Graylog Extended Log Format (GELF) for Graylog2 or GELF compliant tools.
Unlike Syslog format (with Snare Agent, for example), the GELF format contains structured data in JSON so that the fields are available for analysis. This is especially convenient with sources such as the Windows EventLog which already generate logs in a structured format.
The xm_gelf module provides the following reader and writer functions.
- InputType GELF_TCP
-
This input reader generates GELF for use with TCP (use with the im_tcp input module).
- InputType GELF_UDP
-
This input reader generates GELF for use with UDP (use with the im_udp input module).
- InputType GELF
-
This type is equivalent to the
GELF_UDP
reader.
- OutputType GELF_TCP
-
This output writer generates GELF for use with TCP (use with the om_tcp output module).
- OutputType GELF_UDP
-
This output writer generates GELF for use with UDP (use with the om_udp output module).
- OutputType GELF
-
This type is equivalent to the
GELF_UDP
writer.
Configuring NXLog to process GELF input or output requires loading the
xm_gelf extension module and then setting the corresponding InputType
or
OutputType
in the Input or Output module instance. See the
examples below.
The GELF output generated
by this module includes all fields, except for the $raw_event
field and any
field having a leading dot (.
) or underscore (_
).
108.11.1. Configuration
The xm_gelf module accepts the following directives in addition to the common module directives.
- ShortMessageLength
-
This optional directive can be used to specify the length of the short_message field for the GELF output writers. This defaults to 64 if the directive is not explicitly specified. If the field short_message or ShortMessage is present, it will not be truncated.
- UseNullDelimiter
-
If this optional boolean directive is TRUE, the
GELF_TCP
output writer will use the NUL delimiter. If this directive is FALSE, it will use the newline delimiter. The default is TRUE.
108.11.2. Fields
The following fields are used by xm_gelf.
In addition to the fields listed below,
if the GELF input contains custom user fields (those prefixed with the character),
those fields will be available without the
prefix.
For example, the GELF record
{"_foo": "bar"}
will generate
the field $foo
containing the value "bar"
.
$EventTime
(type: datetime)-
The time when the GELF message was created. This is called
timestamp
in the GELF specification.
$FullMessage
(type: string)-
A long message that might contain a backtrace, a listing of environment variables, and so on.
$Hostname
(type: string)-
The name of the host that sent the GELF message. This is called
host
in the GELF specification.
$SeverityValue
(type: integer)-
The standard syslog severity level. This is called
level
in the GELF specification.
$ShortMessage
(type: string)-
A short message with a brief description of the event. If the "short_message" JSON field is not present in the incoming GELF message, the module uses the truncated value of
$Message
or$raw_event
.
$SourceLine
(type: integer)-
The line in a file that caused the event. This is called
line
in the GELF specification.
$SyslogFacility
(type: string)-
The syslog facility that created the event. This is called
facility
in the GELF specification.
$version
(type: string)-
The GELF specification version as present in the input, e.g.
1.1
.
108.11.3. Examples
This configuration uses the im_tcp module to collect logs over TCP port 12201 and the xm_gelf module to parse them.
The following configuration reads the Windows EventLog and sends it to a Graylog2 server in GELF format.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<Extension gelf>
Module xm_gelf
</Extension>
<Input eventlog>
# Use 'im_mseventlog' for Windows XP, 2000 and 2003
Module im_msvistalog
# Uncomment the following to collect specific event logs only
# but make sure not to leave any `#` as only <!-- --> style comments
# are supported inside the XML.
#Query <QueryList>\
# <Query Id="0">\
# <Select Path="Application">*</Select>\
# <Select Path="System">*</Select>\
# <Select Path="Security">*</Select>\
# </Query>\
# </QueryList>
</Input>
<Output udp>
Module om_udp
Host 192.168.1.1
Port 12201
OutputType GELF_UDP
</Output>
<Route eventlog_to_udp>
Path eventlog => udp
</Route>
In this example, custom application logs are collected and sent out in GELF, with custom fields set to make the data more useful for the receiver.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<Extension gelf>
Module xm_gelf
</Extension>
<Input file>
Module im_file
File "/var/log/app*.log"
<Exec>
# Set the $EventTime field usually found in the logs by
# extracting it with a regexp. If this is not set, the current
# system time will be used which might be a little off.
if $raw_event =~ /(\d\d\d\d\-\d\d-\d\d \d\d:\d\d:\d\d)/
$EventTime = parsedate($1);
# Explicitly set the Hostname. This defaults to the system's
# hostname if unset.
$Hostname = 'myhost';
# Now set the severity level to something custom. This defaults
# to 'INFO' if unset. We can use the following numeric values
# here which are the standard Syslog values: ALERT: 1, CRITICAL:
# 2, ERROR: 3, WARNING: 4, NOTICE: 5, INFO: 6, DEBUG: 7
if $raw_event =~ /ERROR/ $SyslogSeverityValue = 3;
else $SyslogSeverityValue = 6;
# Set a field to contain the name of the source file
$FileName = file_name();
# To set a custom message, use the $Message field. The
# $raw_event field is used if $Message is unset.
if $raw_event =~ /something important/
$Message = 'IMPORTANT!! ' + $raw_event;
</Exec>
</Input>
<Output udp>
Module om_udp
Host 192.168.1.1
Port 12201
OutputType GELF_UDP
</Output>
<Route file_to_gelf>
Path file => udp
</Route>
With this configuration, NXLog will read a CSV file containing three fields and forward the data in GELF so that the fields will be available on the server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<Extension gelf>
Module xm_gelf
</Extension>
<Extension csv>
Module xm_csv
Fields $name, $number, $location
FieldTypes string, integer, string
Delimiter ,
</Extension>
<Input file>
Module im_file
File "/var/log/app/csv.log"
Exec csv->parse_csv();
</Input>
<Output udp>
Module om_udp
Host 192.168.1.1
Port 12201
OutputType GELF_UDP
</Output>
<Route csv_to_gelf>
Path file => udp
</Route>