How to get rid of N/A from logs forwarded by nxlog?

Question

I have enabled debug mode in windows DNS server and the logfile is located at c:\logs\dns.log

<181>Jan  2 11:41:40 DC-SE-01 MSWinEventLog        1        N/A        1011398786        Tue Jan  2 11:41:40 2018        N/A        N/A        N/A        N/A        N/A        N/A        N/A                        N/A
<181>Jan  2 11:41:40 DC-IN-01 MSWinEventLog        1        N/A        1011398810        Tue Jan  2 11:41:40 2018        N/A        N/A        N/A        N/A        N/A        N/A        N/A                        N/A
<181>Jan  2 11:41:40 DC-IN-01 MSWinEventLog        1        N/A        1011398825        Tue Jan  2 11:41:40 2018        N/A        N/A        N/A        N/A        N/A        N/A        N/A                1/2/2018 11:41:38 AM 0A48 PACKET  00BACCA157DAE01 UDP Snd 11.11.201.81   3b20 R Q [8281   DR SERVFAIL] A      (8)tnmaster(0)        N/A

I think these messages are of little importance so how to get rid of these messages from nxlog and why are the "N/A" 's in there ?

Below are relevant parts of nxlog.conf file

<Input>
Module im_file
File  "C:\logs\dns.log"
InputType LineBased
Exec $Message=$raw_event; $SyslogFacilityValue=22;
</Input>
<Output logger>
Module om_udp
Host 11.11.11.10
Port 514
Exec to_syslog_snare();
</Output>
<Route 3>
    Path dnsdebug => logger
</Route>

Answer 1

The Snare syslog format is basically a tab delimited string that assumes certain fields such as the EventID since it was primarily designed to transfer the Windows Eventlog over syslog.

In order to generate the output these fields need to be populated. When you read the DNS log from a file obviously these fields are not automatically parsed, thus the output has N/A at those places.

For more information see the Snare topic in the NXLog User Guide. Since you are trying to collect dns.log the Collecting DNS logs topic might be also relevant.