Import W3C files generates errors in logs
Austin.Downing
I am getting thousands of errors in my nxlog.log on my IIS server. Here is my config file that has been sanitized. This is a Server 2012R2 system running IIS 8.
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
ShortMessageLength 3000
</Extension>
<Extension w3c>
Module xm_csv
Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input iis1>
Module im_file
File "F:\\W3SVC1\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
}
</Input>
<Input iis2>
Module im_file
File "F:\\W3SVC2\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
}
</Input>
<Input iis3>
Module im_file
File "F:\\W3SVC3\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
}
</Input>
<Input iis4>
Module im_file
File "F:\\W3SVC4\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
}
</Input>
<Input iis5>
Module im_file
File "F:\\W3SVC5\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
}
</Input>
<Input iis6>
Module im_file
File "F:\\W3SVC6\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
}
</Input>
<Input iis7>
Module im_file
File "F:\\W3SVC7\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
}
</Input>
<Input in>
# Use 'im_mseventlog' for Windows XP, 2000 and 2003
Module im_msvistalog
# Uncomment the following to collect specific event logs only
# Query <QueryList>\
# <Query Id="0">\
# <Select Path="Application">*</Select>\
# <Select Path="System">*</Select>\
# <Select Path="Security">*</Select>\
# </Query>\
# </QueryList>
</Input>
<Output out>
Module om_udp
Host server.corp.com
Port 12201
OutputType GELF
</Output>
<Route r>
Path in => out
</Route>
<Route iis1>
Path iis1 => out
</Route>
<Route iis2>
Path iis2 => out
</Route>
<Route iis3>
Path iis3 => out
</Route>
<Route iis4>
Path iis4 => out
</Route>
<Route iis5>
Path iis5 => out
</Route>
<Route iis6>
Path iis6 => out
</Route>
<Route iis7>
Path iis7 => out
</Route>
Here are the various errors I am getting.
2018-12-06 16:26:08 ERROR if-else failed at line 43, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 43, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer "https://www.company.com/portal/Processing/Processing.aspx", invalid modifier: 'x'
2018-12-06 16:26:08 ERROR if-else failed at line 57, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 57, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Too many fields in CSV input, expected 15, got 16 in input '2018-12-06 21:26:06 W3SVC2 10.0.1.122 POST /home/name/services/Publish/Index - 80 - 10.0.0.0 - - 303 0 0 663 915 0'
2018-12-06 16:26:08 ERROR if-else failed at line 43, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 43, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer "https://www.company.com/home/", invalid modifier: '/'
