im_msvistalog + If/Else Statement | View post

behr 3 years ago

Hi,

My working nxlog.conf relies on Query directives aimed at explicitly named Channels together with the im_msvistalog Module.

<Input blu_eventlog_iis> Module im_msvistalog

Query       &lt;QueryList&gt;\
                    &lt;Query Id=&quot;0&quot;&gt;\
                        &lt;Select Path=&quot;Microsoft-IIS-Configuration/Administrative&quot;&gt;*&lt;/Select&gt;\
                        &lt;Select Path=&quot;Microsoft-IIS-Configuration/Operational&quot;&gt;*&lt;/Select&gt;\
                        &lt;Select Path=&quot;Microsoft-IIS-Logging/Logs&quot;&gt;*&lt;/Select&gt;\
                    &lt;/Query&gt;\
                &lt;/QueryList&gt; 
    
# Filter noise from IIS schema issues
Exec if ($Message =~ /Unable to find schema/) drop();

# Workaround for local time so as to standardize to absolute microseconds since epoch
Exec $EventTime = integer($EventTime);

# JSON is required because some Windows logs contain new-line characters.
Exec $Message = to_json();

</Input>

<Output blu_out_eventlog_iis> Module om_tcp Host %SIEM% Port %PORT%

Exec to_syslog_bsd();

</Output>

<Route route_eventlog_iis> Path blu_eventlog_iis => blu_out_eventlog_iis </Route>

I hoped to clean up some 15007 errors in the nxlog.log files included below:

2020-07-06 14:42:55 ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.

I suspect the 15007 errors are being generated because IIS isn't setup. In other words, the named IIS Channels are queried but not found.

Is it possible to add an If/Else statement as part of those Query directives? Looking over the NXlog CE Manual I only see If/Else statement used with Exec. Any guidance would be greatly appreciated!