NXLog is logging dominname instead of hostname

View thread

NP_278933

I have three different sites and configured nxlog to push logs to graylog.Below is my config.In one server hostname is getting in NXLOG but in other server with same NXLOG config and same IIS config Domain Name is getting captured instead of hostname.Both servers having same O.S windows server 2012 R2.

Any help would be greatly appreciated here

#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
Module xm_exec
</Extension>

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and

(file_size('%LOGFILE%') >= 5M))

file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>

#######################################################################
#### EXTENTIONS #####
#######################################################################

<Extension _gelf>
Module xm_gelf
</Extension>

<Extension _json>
Module xm_json
</Extension>

#######################################################################
#### IIS NXLOG ######
#######################################################################

<Extension w3c>
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken, $x-forwarded-for
FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>

<Input pr-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC3\u_ex*"
SavePos TRUE

Exec if $raw_event =~/^#/ drop();

else

{

w3c->parse_csv();

$EventTime = parsedate($date + " " + $time);

$EventTime = parsedate($date + " " + $time + "Z");

$SourceName = "PR-IIS";

$raw_event = to_json();

}
</Input>

<Input pp1-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
SavePos TRUE

Exec if $raw_event =~/^#/ drop();

else

{

w3c->parse_csv();

$EventTime = parsedate($date + " " + $time);

$EventTime = parsedate($date + " " + $time + "Z");

$SourceName = "PP1-IIS";

$raw_event = to_json();

}
</Input>

<Input pp2-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*"
SavePos TRUE

Exec if $raw_event =~/^#/ drop();

else

{

w3c->parse_csv();

$EventTime = parsedate($date + " " + $time);

$EventTime = parsedate($date + " " + $time + "Z");

$SourceName = "PP2-IIS";

$raw_event = to_json();

}
</Input>

<Output graylog>
Module om_udp
Host x.x.x.x
Port xxxx
OutputType GELF

Exec $Hostname = hostname_fqdn();
Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event);
</Output>

<Route iis-to-graylog>
Path pr-iis => graylog
</Route>

<Route iis-to-graylog>
Path pp1-iis => graylog
</Route>

<Route iis-to-graylog>
Path pp2-iis => graylog
</Route>
#######################################################################
#### /IIS NXLOG #####
#######################################################################