Assistance with Time Zone and Log
Good Afternoon. I was hoping someone may be able to assist me with an issue I am having sending my logs from IIS in W3C format to Graylog. The W3C time is by default in UTC. When NXlog is sending the logs to my graylog server it is sending logs that are already 4 hours old because I am in EST, but the IIS logs are in UTC. Is there something I can do in the configuration so NXlog is shipping current logs?
<Extension w3c> Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $time-taken FieldTypes string, string, string, string, string, string, integer, string, string, string, string, string, string, string, string, integer Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension>
<Input iis> Module im_file File "C:\inetpub\logs\LogFiles\\u_ex*" SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "Server"; \
$Message = to_json(); \
}
</Input>
Thanks in advance.
You have a couple options, I think. One option is to change the output of the timestamp in the IIS config.
If you can not do this, you can try one of the suggestions in the Adjusting Timestamps chapter in the manual.
https://nxlog.co/documentation/nxlog-user-guide/timestamps.html#adjusting-timestamps
