IIS7 W3C log parsing fails | Log collection solutions

#1 CSimpiFoN 7 years ago

Hello Guys,

I have a question about NXLog IIS7 W3C logs. I set NXLog up and it works basicaly but the NXLog logs are full with error messages like this:

2016-04-26 09:46:36 ERROR if-else failed at line 64, character 257 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 64, character 113 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; couldn't parse integer: language=UK&region=802&idfwbonavigation=180173.2

It look, the IIS logs contain an "=" sign in the $cs-uri-query field, and NXLog wants integer after the "=", however the field set to be string in the config file.

Have you ever met anything like this? And if yes, what could be the solution?

NXLog extension and input config:

<Extension exiis>
   Module       xm_csv
   Fields       $date $time $s-ip $cs-method $cs-uri-stem $cs-uri-query $s-port $cs-username $c-ip $cs(User-Agent) $cs(Cookie) $cs(Referer) $sc-status $sc-substatus $sc-win32-status $sc-bytes $cs-bytes $time-taken
   FieldTypes   string, string, string, string, string, string, integer, string, string, string, string, string, integer, integer, integer, integer, integer, integer
   Delimiter   ' '
   QuoteChar   '"'
   EscapeControl   FALSE
   UndefValue   -
</Extension>

<Input IIS>
   Module       im_file
   File       "D:\\Logs\\IIS\\W3SVC300\\u_ex*"
   SavePos       TRUE
   Recursive   FALSE
   Exec if $raw_event =~ /^#/ drop(); \
       else \
       { \
           exiis->parse_csv(); \
           $EventTime = parsedate($date + " " + $time); \
   $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ");           \
       }
</Input>

Permalink

#2 adm Nxlog ✓ 7 years ago

#1 CSimpiFoN

Hello Guys, I have a question about NXLog IIS7 W3C logs. I set NXLog up and it works basicaly but the NXLog logs are full with error messages like this: 2016-04-26 09:46:36 ERROR if-else failed at line 64, character 257 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 64, character 113 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; couldn't parse integer: language=UK&region=802&idfwbonavigation=180173.2 It look, the IIS logs contain an "=" sign in the $cs-uri-query field, and NXLog wants integer after the "=", however the field set to be string in the config file. Have you ever met anything like this? And if yes, what could be the solution? NXLog extension and input config: <Extension exiis> Module xm_csv Fields $date $time $s-ip $cs-method $cs-uri-stem $cs-uri-query $s-port $cs-username $c-ip $cs(User-Agent) $cs(Cookie) $cs(Referer) $sc-status $sc-substatus $sc-win32-status $sc-bytes $cs-bytes $time-taken FieldTypes string, string, string, string, string, string, integer, string, string, string, string, string, integer, integer, integer, integer, integer, integer Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input IIS> Module im_file File "D:\\Logs\\IIS\\W3SVC300\\u_ex*" SavePos TRUE Recursive FALSE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ exiis->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \ } </Input>

In similar cases the issue was that IIS did not escape the URL part and the delimiter character (space or ;) was present in the URL which caused the CSV parser to fail.

You should look at the offending line(s) causing the parser errors to confirm if that's the case.