Common Event Expression (CEE)
NXLog can be configured to collect or forward logs in the Common Event Expression (CEE) format. CEE was developed by MITRE as an extension for Syslog, based on JSON. MITRE’s work on CEE was discontinued in 2013.
Dec 20 12:42:20 syslog-relay serveapp[1335]: @cee: {"pri":10,"id":121,"appname":"serveapp","pid":1335,"host":"syslog-relay","time":"2011-12-20T12:38:05.123456-05:00","action":"login","domain":"app","object":"account","status":"success"}
Collecting and parsing CEE
NXLog can parse CEE with the parse_json() procedure provided by the xm_json extension module.
With the following configuration, NXLog accepts CEE logs via TCP, parses
the CEE-formatted $Message
field, and writes the logs to file in JSON format.
<Extension json>
Module xm_json
</Extension>
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_tcp
Host 0.0.0.0
Port 1514
<Exec>
parse_syslog();
if $Message =~ /^@cee: ({.+})$/
{
$raw_event = $1;
parse_json();
}
</Exec>
</Input>
<Output out>
Module om_file
File '/var/log/json'
Exec to_json();
</Output>
Oct 13 14:23:11 myserver @cee: { "purpose": "test" }
{
"EventReceivedTime": "2016-09-13 14:23:12",
"SourceModuleName": "in",
"SourceModuleType": "im_file",
"SyslogFacilityValue": 1,
"SyslogFacility": "USER",
"SyslogSeverityValue": 5,
"SyslogSeverity": "NOTICE",
"SeverityValue": 2,
"Severity": "INFO",
"Hostname": "myserver",
"EventTime": "2016-09-13 14:23:11",
"Message": "@cee: { \"purpose\": \"test\" }",
"purpose": "test"
}
Generating and forwarding CEE
NXLog can also generate CEE, using the to_json() procedure provided by the xm_json extension module.
With this configuration, NXLog parses IETF Syslog input from file. The logs are then converted to CEE format and forwarded via TCP. The Syslog header data and IETF Syslog Structured-Data key/value list from the input are also included.
<Extension json>
Module xm_json
</Extension>
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_file
File '/var/log/ietf'
Exec parse_syslog();
</Input>
<Output out>
Module om_tcp
Host 192.168.1.1
Port 1514
Exec $Message = '@cee: ' + to_json(); to_syslog_bsd();
</Output>
<13>1 2016-10-13T14:23:11.000000-06:00 myserver - - - [NXLOG@14506 Purpose="test"] This is a test message.
<13>Oct 13 14:23:11 myserver @cee: {"EventReceivedTime":"2016-10-13 14:23:12","SourceModuleName":"in","SourceModuleType":"im_file","SyslogFacilityValue":1,"SyslogFacility":"USER","SyslogSeverityValue":5,"SyslogSeverity":"NOTICE","SeverityValue":2,"Severity":"INFO","EventTime":"2016-10-13 14:23:11","Hostname":"myserver","Purpose":"test","Message":"This is a test message."}