Let's Talk
Let's Talk
Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Send custom value in iis_log message
I want to know is possible send, with the iis log message, a custom field and value. Actually this is my config: ``` define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data #Module xm_syslog Module xm_gelf #Module xm_json Module xm_csv Fields date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, \ s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), \ sc-status, sc-substatus, sc-win32-status, time-taken FieldTypes string, string, string, string, string, string, integer, \ string, string, string, string, integer, integer, integer, \ integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE UndefValue - Module im_file File "c:\\logs\\app\\iislog\\u_extend1.log" if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + "T" + $time + ".000Z"); } Module om_udp Host 172.28.36.25 Port 12201 #Exec to_syslog_snare(); OutputType GELF Path in2 => out ``` This work great but i need to add a custom and static value in the message, like : FIELD: "system" , VALUE: "program1". and this value is always the same ``` date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), sc-status, sc-substatus, sc-win32-status, time-taken,**system** ``` Is this possible? Thanks!

Anbers created
Replies: 1
View post »
last updated
graylog iis | W3C IIS | iis
Exclude requests for web sockets from IIS logs

I have 

 

<Extension w3c>
    Module            xm_csv
    Fields            $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
    FieldTypes        string, string, string, string, string, string, integer, string, string, string, string, string, integer, integer, integer, integer
    Delimiter        ' '
    QuoteChar        '"'
    EscapeControl    FALSE
    UndefValue        -
</Extension>

 

And i have 

 

<Input iis>
    Module            im_file
    File            "C:\\inetpub\\logs\\LogFiles\\u_ex*.log"
    SavePos            TRUE
    Exec \
                    if $raw_event =~ /^#/ drop(); \
                    else \
                        { \
                            w3c->parse_csv(); \
                            $EventTime = parsedate($date + " " + $time); \
                            $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
                            $SourceName = "IIS"; \
                        }
</Input>

 

When im trying to add something like if $raw_event =~ /^#/ or $sc-status == 101 drop(); \

I am getting error in log like that: 

couldn't parse statement at line 91, character 46 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error, unexpected -, expecting (

I have tried to use similar options, but it doesnt works. 

What im doing wrong, help me please. Thanks.

 


V_Vorobey created
Replies: 1
View post »
last updated
graylog iis
NXlog IIS log Shipping issues

I am trying to use NXlog to ship Event Logs and IIS logs to Graylog. No matter what I do in NXlog the IIS log timestamp in Graylog is the same as the EventReceivedTime. However, the Event Log timestamps are correct. Here is a link to my config on pastebin. All the configs I found on Google set the EventTime the same way. See anything wrong?


$EventTime = parsedate($date + " " + $time); \

I tried doing a WireShark capture to see what the difference was. NXlog compresses the data before sending it. I haven't taken the time to learn how to uncompressit. I also tried setting the timestamp manually. That didn't work either...


$timestamp = integer(parsedate($date + " " + $time))/1000; \

remedy73 created
Replies: 1
View post »
last updated
graylog iis
IIS logs sent via NXlog not showing up in Graylog
I'm having trouble getting my IIS logs into Graylog.
My Windows event logs show up just fine, but the IIS logs never show up.
 
I'm using NXlog per the Graylog docs. I've verified that the logs are getting sent (I have them also writing to a file, and I've checked with Wireshark to make sure the packets are being sent).
At one point I changed from using a GELF input to a raw input, and then the messages showed up but of course were unreadable as they were still in the compressed GELF format, like so:
x����n�0E��*���Í�r � �$���#�m"�����$ȿ��h9q\����J�g43�zA;h9a5J��xh�V��b���@Z��Ƕ�^���A�z:t����[Vv$��:�S��j�&�[b�>��)�������M�a�����+��vb�Ji̦�����\@%E���f��b����W��`�X��`:)���hX+P��Si�V�ɡ�'9�ݲgB)vcdz.��.ٞ[w��8�ky�L�Kk�4��pC��c'L�����폑E�#X3(٥�m۲ �H� ?r�|k�׸%��lkh����C������3��É�'u a~<l�l��z!SmWM�g��"�̦�j�o�DVp�7*�%G��Q��c"G��B���̼�(���    �`*�z�GN(�N�k] e xZU�iu�A�|ړ��Z�[���A+���C����&����}�&���'����d�Б��̻_��m�0�������]��9<ޭ������Ub�,�U�n�Q��8��F��(J�%.U?��^��wJ�a
 
I can send the messages in completely raw, but then all the data is stuck in one field.
 
Why would Graylog accept my GELF-formatted Windows event logs, but not my GELF-formatted IIS logs?
 
I'm running the latest Graylog VMware OVA, and the only changes I've made were changing the password and timezone, enforcing HTTPS, and setting up LDAP and my inputs.
 
Here's my NXlog config file:
 
define ROOT C:\Program Files (x86)\nxlog
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
<Extension gelf>
    Module         xm_gelf
</Extension>
 
<Extension fileop>
    Module         xm_fileop
</Extension>
 
 <Extension json>
    Module      xm_json
</Extension>
 
# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
<Extension w3c>
    Module             xm_csv
    Fields             $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
    FieldTypes         string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
    Delimiter         ' '
    QuoteChar         '"'
    EscapeControl     FALSE
    UndefValue         -
</Extension>
 
<Input iis>
    Module        im_file
    File        "C:\\inetpub\\logs\\LogFiles\\W3SVC12\\u_ex*"
    SavePos      TRUE
 
    Exec        if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                         \
                    $Message = to_json();                         \
                }
</Input>
 
<Input eventlog>
    Module      im_msvistalog
</Input>
 
<Output graylog>
    Module      om_udp
    Host        graylog
    Port        12201
    OutputType    GELF
 
    #Use the following line for debugging (uncomment the fileop extension above as well)
    Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>

#<Route eventlog>
#    Path        eventlog => graylog
#</Route>

<Route iis-to-graylog>
    Path        iis => graylog
</Route>
 
 

Any assistance will be greatly appreciated. 
 

Nathan.Reid created
Replies: 1
View post »
last updated
graylog iis