NXLog Legacy Documentation

Common Event Expression (CEE)

NXLog can be configured to collect or forward logs in the Common Event Expression (CEE) format. CEE was developed by MITRE as an extension for Syslog, based on JSON. MITRE’s work on CEE was discontinued in 2013.

Log sample
Dec 20 12:42:20 syslog-relay serveapp[1335]: @cee: {"pri":10,"id":121,"appname":"serveapp","pid":1335,"host":"syslog-relay","time":"2011-12-20T12:38:05.123456-05:00","action":"login","domain":"app","object":"account","status":"success"}

Collecting and parsing CEE

NXLog can parse CEE with the parse_json() procedure provided by the xm_json extension module.

Example 1. Collecting CEE logs

With the following configuration, NXLog accepts CEE logs via TCP, parses the CEE-formatted $Message field, and writes the logs to file in JSON format.

nxlog.conf
<Extension json>
    Module  xm_json
</Extension>

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input in>
    Module  im_tcp
    Host    0.0.0.0
    Port    1514
    <Exec>
        parse_syslog();
        if $Message =~ /^@cee: ({.+})$/
        {
            $raw_event = $1;
            parse_json();
        }
    </Exec>
</Input>

<Output out>
    Module  om_file
    File    '/var/log/json'
    Exec    to_json();
</Output>
Input sample
Oct 13 14:23:11 myserver @cee: { "purpose": "test" }
Output sample
{
  "EventReceivedTime": "2016-09-13 14:23:12",
  "SourceModuleName": "in",
  "SourceModuleType": "im_file",
  "SyslogFacilityValue": 1,
  "SyslogFacility": "USER",
  "SyslogSeverityValue": 5,
  "SyslogSeverity": "NOTICE",
  "SeverityValue": 2,
  "Severity": "INFO",
  "Hostname": "myserver",
  "EventTime": "2016-09-13 14:23:11",
  "Message": "@cee: { \"purpose\": \"test\" }",
  "purpose": "test"
}

Generating and forwarding CEE

NXLog can also generate CEE, using the to_json() procedure provided by the xm_json extension module.

Example 2. Generating CEE logs

With this configuration, NXLog parses IETF Syslog input from file. The logs are then converted to CEE format and forwarded via TCP. The Syslog header data and IETF Syslog Structured-Data key/value list from the input are also included.

nxlog.conf
<Extension json>
    Module  xm_json
</Extension>

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input in>
    Module  im_file
    File    '/var/log/ietf'
    Exec    parse_syslog();
</Input>

<Output out>
    Module  om_tcp
    Host    192.168.1.1
    Port    1514
    Exec    $Message = '@cee: ' + to_json(); to_syslog_bsd();
</Output>
Input sample
<13>1 2016-10-13T14:23:11.000000-06:00 myserver - - - [NXLOG@14506 Purpose="test"] This is a test message.
Output sample
<13>Oct 13 14:23:11 myserver @cee: {"EventReceivedTime":"2016-10-13 14:23:12","SourceModuleName":"in","SourceModuleType":"im_file","SyslogFacilityValue":1,"SyslogFacility":"USER","SyslogSeverityValue":5,"SyslogSeverity":"NOTICE","SeverityValue":2,"Severity":"INFO","EventTime":"2016-10-13 14:23:11","Hostname":"myserver","Purpose":"test","Message":"This is a test message."}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

Last revision: 17 September 2018