-1

I'm using nxlog and its Perl module xm_perl (https://nxlog.co/documentation/nxlog-user-guide/xm_perl.html). I have written a Perl code with regular expressions which works perfectly with data I want. My nxlog looks like this:

User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

<Extension json>
    Module      xm_json
</Extension>

<Extension perl>
    Module      xm_perl
    PerlCode    /usr/libexec/nxlog/modules/extension/perl/perlcode.pl
</Extension>

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input udp>
    Module      im_udp
    Host        0.0.0.0
    Port        514 
    Exec        parse_syslog(); to_json();perl_call("rec2msg");
</Input> 

<Output file_udp>
    Module      om_file
    File        "/tmp/logmsg2.txt"
</Output> 

<Route udp_to_file>
    Path        udp => file_udp
</Route>

and perlcode.pl looks like this:

use strict;
use warnings;
use feature 'say';
use JSON;
use utf8;

my %IDs = ( "User awx01 logged in." => 1001 );  
my %levels = ( INFO => 4 );                                 
my $json    = data2json($event);         
my $record  = decode_json($json);       
say rec2msg($record);
sub data2json {                         
    my $json = shift;                   
    $json =~ s/[""]/"/g;
    $json =~ s/\\//g;
    $json =~ s/"(\{.*?\})"/$1/;
    return $json;
}
sub rec2msg {                           
    my $r = shift;
    $r->{Message}{message} =~ /(\w+) (\w+) (.+)/;

    my($user,$msg) = ($2,"$1 $3");
    my $ID   = $IDs{$r->{Message}{message}};
    my $level   = $levels{$r->{Message}{level}};

    my $out = "$r->{Message}{'@timestamp'} host CEF:0|OpenSource|AWX|7.0.0|$ID|$msg|$level|src=127.0.0.1 dst=$r->{MessageSourceAddress} duser=$user";
    return $out;
}

So I want that JSON that I get after to_json() turn into new format with perl_call ("rec2msg"), but I get this error:

ERROR perl subroutine rec2msg failed with an error: 'Can't use string ("140116462930352") as a HASH ref while "strict refs" in use at /usr/libexec/nxlog/modules/extension/perl/perlcode.pl line 21.;'

What am I doing wrong?

this is JSON, which should be transformed:

{"MessageSourceAddress":"192.168.81.20","EventReceivedTime":"2020-02-06 11:55:14","SourceModuleName":"udp","SourceModuleType":"im_udp","SyslogFacilityValue":1,"SyslogFacility":"USER","SyslogSeverityValue":5,"SyslogSeverity":"NOTICE","SeverityValue":2,"Severity":"INFO","EventTime":"2020-02-06 11:55:14","Hostname":"192.168.81.20","Message":"{\"@timestamp\": \"2020-02-06T08:55:52.907Z\", \"message\": \"User awx01 logged in.\", \"host\": \"awxweb\", \"level\": \"INFO\", \"logger_name\": \"awx.api.generics\", \"stack_info\": null, \"type\": \"other\", \"cluster_host_id\": \"awx-contr-01\", \"tower_uuid\": \"333b4131-495f-4460-8e4b-890241a9d73d\"}"}
french_fries
  • 1,149
  • 6
  • 22

1 Answers1

1

Either $r or $r->{Message} is not a hash reference, but rather a large number.

The number might be a reference address, didn't you use a hash reference in a numeric context somewhere?

There is one suspicious line, too:

  • s/[""]/"/g does nothing, [""] is a character class equivalent to ".
choroba
  • 231,213
  • 25
  • 204
  • 289