Hi I'm working on a setup for collecting IIS logs and send them to Graylog. Here I stumbled into a problem with refering to fields with a dash in the field name. I would really like the fields to have prober w3c names in greylog, so I dont wanna remove those dashes. In the CSV module I have: <Extension w3c> Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken, $X-Forwarded-For FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> And in my input def i have: <Input iis_dodpdownload> Module im_file .... Exec if $raw_event =~ /(^#)|((keepalive.html).*(\s-\s200\s0\s))/ \ { \ drop(); \ } \ else \ { \ w3c-&gt;parse_csv(); \ $EventTime = parsedate($date + &quot;T&quot; + $time + &quot;+00:00&quot;); \ $SourceName = &quot;IIS&quot;; \ $Message = $cs-method + &quot; &quot; + $cs-uri-stem + &quot; &quot; + $sc-status; \ } </Input> The line $Message = $cs-method + " " + $cs-uri-stem + " " + $sc-status; results in a parser error. If I change field names to not contain dash character then it works. I also tried to surround with curly braces but it just returns a new parse error. How can i refer to those fields/vars or escape them? Hope someone knows:-) Best regards, Peter Meldgaard

Setup NXLog to send IIS logs to Syslog. Using the following modules: xm_syslog xm_csv im_file om_tcp My config file is the following: Panic Soft #NoFreeOnExit TRUE define ROOT e:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule> </Extension> <Extension w3c_parser> Module xm_csv Fields date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, \ s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), \ sc-status, sc-substatus, sc-win32-status, time-taken FieldTypes string, string, string, string, string, string, integer, \ string, string, string, string, integer, integer, integer, \ integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input iis_w3c> Module im_file File 'L:\Logs\W3SVC1\u_ex*.log' <Exec> if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + "T" + $time + ".000Z"); } </Exec> </Input> <Output out> Module om_tcp Host REDACTED Port 514 Exec to_syslog_ietf(); </Output> <Output test> Module om_file File 'E:\Program Files (x86)\nxlog\test.log' CreateDir </Output> <Route w3c> Path iis_w3c => w3c_parser => out </Route> When I start NXLog I keep getting the following error: ERROR ### ASSERTION FAILED at line 879 in module.c/resume_senders(): "curr->type == NX_MODULE_TYPE_INPUT" ### Also, I can see the NXLog client is opening a TCP connection with the syslog destination but doesn't actually send any data in the transaction. (Packet trace shows SYN-SYN/ACK-ACK then immediately FIN from the client) I tried testing with "om-file" to see if it would at least write to a local file, this failed as well (same error in the log) - so something tells me I have an error in the input module IM_FILE but I can'T figure out what the error is. I took the config example from the user-guide (https://nxlog.co/documentation/nxlog-user-guide/iis.html). Any help appreciated!