IIS logs in Graylog
hello everyone,I am configuring nxlog to send IIS logs to Graylog.I managed to configure everything correctly but I would like to make the logs more readable on Graylog.I currently display them like this:
would it be possible to somehow get the login name and ip of the user who logged in out of the “message” field?my current nxlog configuration is this:
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Extension _gelf>
Module xm_gelf
</Extension>
<Extension _json>
Module xm_json
</Extension>
#######################################################################
IIS NXLOG
#######################################################################
<Extension w3c>
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken
FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC*\u_ex*"
SavePos TRUE
Exec $ShortMessage = $raw_event;
Exec if $raw_event =~/^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
$SourceName = "IIS";\
$raw_event = to_json();\
}
</Input>
#######################################################################
/IIS NXLOG
#######################################################################
Snare compatible example configuration
Collecting event log
<Input in>
Module im_msvistalog
</Input>
Converting events to Snare format and sending them out over TCP syslog
<Output out>
Module om_tcp
Host ha-centlog-vip.xxxxxxxx
Port 12201
Exec to_json();
OutputType GELF_TCP
Exec $Hostname = hostname_fqdn();
Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event);
</Output>
<Route iis-to-graylog>
Path iis => out
</Route>
Connect input 'in' to output 'out'
<Route 1>
Path in => out
Thanks
Hello,
you could use w3c extended log format and parse it as described here: https://docs.nxlog.co/refman/current/xm/w3c.html
Your configuration already attempts to extract the user name and IP address:
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_takenthose would be $cs_username and $c_ip respectively.
btw something broke the config text you pasted, please try and fix it up. Do let me know if that was just a simple paste and it went this wrong.
