Import W3C files generates errors in logs

View thread

Austin.Downing
I am getting thousands of errors in my nxlog.log on my IIS server. Here is my config file that has been sanitized. This is a Server 2012R2 system running IIS 8. ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_gelf ShortMessageLength 3000 Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - Module im_file File "F:\\W3SVC1\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } Module im_file File "F:\\W3SVC2\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } Module im_file File "F:\\W3SVC3\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } Module im_file File "F:\\W3SVC4\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } Module im_file File "F:\\W3SVC5\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } Module im_file File "F:\\W3SVC6\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } Module im_file File "F:\\W3SVC7\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } # Use 'im_mseventlog' for Windows XP, 2000 and 2003 Module im_msvistalog # Uncomment the following to collect specific event logs only # Query \ # \ # *\ # *\ # *\ # \ # Module om_udp Host server.corp.com Port 12201 OutputType GELF Path in => out Path iis1 => out Path iis2 => out Path iis3 => out Path iis4 => out Path iis5 => out Path iis6 => out Path iis7 => out Here are the various errors I am getting. 2018-12-06 16:26:08 ERROR if-else failed at line 43, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 43, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer "https://www.company.com/portal/Processing/Processing.aspx", invalid modifier: 'x' 2018-12-06 16:26:08 ERROR if-else failed at line 57, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 57, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Too many fields in CSV input, expected 15, got 16 in input '2018-12-06 21:26:06 W3SVC2 10.0.1.122 POST /home/name/services/Publish/Index - 80 - 10.0.0.0 - - 303 0 0 663 915 0' 2018-12-06 16:26:08 ERROR if-else failed at line 43, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 43, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer "https://www.company.com/home/", invalid modifier: '/'