Request trial
Request Trial

Statically inject x-forward-for into IIS messages

Tags:
#1 kmschramm

How would I go about statically assigning the value of x-forward-for the end of an IIS message that is being read through IM_FIle?

I am doing testing of IIS Log files and I want to take a value from an internal system and add the x-forward-for field to the message.

I have tried adding it to the Input on im_file

Exec $Message = $x_forwarded_for + ' ' + 'x.x.x.x';

I have tried it as

$raw_event = $raw_event + 'x.x.x.x'

Either the value never shows up or it ends up outside of the message. What I need is for it to be inside the message. Essentially where the time-taken is on this example message I would end up with my static x-forwarded-for entry.

#Software: Microsoft Internet Information Services 10.0 #Version: 1.0 #Date: 2017-10-02 17:11:27 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2017-10-02 17:11:27 fe80::b5d8:132c:cec9:daef%6 RPC_IN_DATA /rpc/rpcproxy.dll 1d4026cb-6730-43bf-91eb-df80f41c050f@test.com:6001&CorrelationID=<empty>;&RequestId=11d6a78a-7c34-4f43-9400-ad23b114aa62&cafeReqId=11d6a78a-7c34-4f43-9400-ad23b114aa62; 80 TEST\HealthMailbox418406e fe80::b5d8:132c:cec9:daef%6 MSRPC - 500 0 0 7990 2017-10-02 17:12:57 fe80::a425:345a:7143:3b15%2 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.1715 80 - fe80::a425:345a:7143:3b15%2 Microsoft+WinRM+Client - 500 0 0 11279

Permalink
#2 rafDeactivated Nxlog ✓
#1 kmschramm
How would I go about statically assigning the value of x-forward-for the end of an IIS message that is being read through IM_FIle? I am doing testing of IIS Log files and I want to take a value from an internal system and add the x-forward-for field to the message. I have tried adding it to the Input on im_file Exec $Message = $x_forwarded_for + ' ' + 'x.x.x.x'; I have tried it as $raw_event = $raw_event + 'x.x.x.x' Either the value never shows up or it ends up outside of the message. What I need is for it to be inside the message. Essentially where the time-taken is on this example message I would end up with my static x-forwarded-for entry. #Software: Microsoft Internet Information Services 10.0 #Version: 1.0 #Date: 2017-10-02 17:11:27 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2017-10-02 17:11:27 fe80::b5d8:132c:cec9:daef%6 RPC_IN_DATA /rpc/rpcproxy.dll 1d4026cb-6730-43bf-91eb-df80f41c050f@test.com:6001&CorrelationID=<empty>;&RequestId=11d6a78a-7c34-4f43-9400-ad23b114aa62&cafeReqId=11d6a78a-7c34-4f43-9400-ad23b114aa62; 80 TEST\HealthMailbox418406e fe80::b5d8:132c:cec9:daef%6 MSRPC - 500 0 0 7990 2017-10-02 17:12:57 fe80::a425:345a:7143:3b15%2 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.1715 80 - fe80::a425:345a:7143:3b15%2 Microsoft+WinRM+Client - 500 0 0 11279

Hello,

Could you share your full conf file? It's gonna be easier to follow your approach & fix you issue.

Thanks,

Rafal
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS