I want to know is possible send, with the iis log message, a custom field and value. Actually this is my config: define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _gelf> #Module xm_syslog Module xm_gelf #Module xm_json </Extension> <Extension w3c_parser> Module xm_csv Fields date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, \ s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), \ sc-status, sc-substatus, sc-win32-status, time-taken FieldTypes string, string, string, string, string, string, integer, \ string, string, string, string, integer, integer, integer, \ integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input in2> Module im_file File "c:\\logs\\app\\iislog\\u_extend1.log" <Exec> if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + "T" + $time + ".000Z"); } </Exec> </Input> <Output out> Module om_udp Host 172.28.36.25 Port 12201 #Exec to_syslog_snare(); OutputType GELF </Output> <Route 1> Path in2 => out </Route> This work great but i need to add a custom and static value in the message, like : FIELD: "system" , VALUE: "program1". and this value is always the same date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), sc-status, sc-substatus, sc-win32-status, time-taken,**system** Is this possible? Thanks!

I have    <Extension w3c>     Module            xm_csv     Fields            $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $time-taken     FieldTypes        string, string, string, string, string, string, integer, string, string, string, string, string, integer, integer, integer, integer     Delimiter        ' '     QuoteChar        '"'     EscapeControl    FALSE     UndefValue        - </Extension>   And i have    <Input iis>     Module            im_file     File            "C:\\inetpub\\logs\\LogFiles\\u_ex*.log"     SavePos            TRUE     Exec \                     if $raw_event =~ /^#/ drop(); \                     else \                         { \                             w3c->parse_csv(); \                             $EventTime = parsedate($date + " " + $time); \                             $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \                             $SourceName = "IIS"; \                         } </Input>   When im trying to add something like if $raw_event =~ /^#/ or $sc-status == 101 drop(); \ I am getting error in log like that:  couldn't parse statement at line 91, character 46 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error, unexpected -, expecting ( I have tried to use similar options, but it doesnt works.  What im doing wrong, help me please. Thanks.  

I am trying to use NXlog to ship Event Logs and IIS logs to Graylog. No matter what I do in NXlog the IIS log timestamp in Graylog is the same as the EventReceivedTime. However, the Event Log timestamps are correct. Here is a link to my config on pastebin. All the configs I found on Google set the EventTime the same way. See anything wrong? $EventTime = parsedate($date + " " + $time); \ I tried doing a WireShark capture to see what the difference was. NXlog compresses the data before sending it. I haven't taken the time to learn how to uncompressit. I also tried setting the timestamp manually. That didn't work either... $timestamp = integer(parsedate($date + " " + $time))/1000; \

I'm having trouble getting my IIS logs into Graylog. My Windows event logs show up just fine, but the IIS logs never show up.   I'm using NXlog per the Graylog docs. I've verified that the logs are getting sent (I have them also writing to a file, and I've checked with Wireshark to make sure the packets are being sent). At one point I changed from using a GELF input to a raw input, and then the messages showed up but of course were unreadable as they were still in the compressed GELF format, like so: x����n�0E��*���Í�r� �$���
#�m"�����$ȿ��h9q\����J�g43�zA;h9a5J��xh�V��b���@Z��Ƕ�^���A�z:t����[Vv$��:�S��j�&�[b�>��)�������M�a�����+��vb�Ji̦�����\@%E���f��b����W��`�X��`:)���hX+P��Si�V�ɡ�'9�ݲgB)vcdz.��.ٞ[w��8�ky�L�Kk�4��pC��c'L�����폑E�#X3(٥�m۲ �H� ?r�|k�׸%��lkh����C������3��É�'ua~<l�l��z!SmWM�g��"�̦�j�o�DVp�7*�%G��Q��c"G��B���̼�(���    �`*�z�GN(�N�k]e xZU�iu�A�|ړ��Z�[���A+���C����&����}�&���'����d�Б��̻_��m�0�������]��9<ޭ������Ub�,�U�n�Q��8��F��(J�%.U?��^��wJ�a   I can send the messages in completely raw, but then all the data is stuck in one field.   Why would Graylog accept my GELF-formatted Windows event logs, but not my GELF-formatted IIS logs?   I'm running the latest Graylog VMware OVA, and the only changes I've made were changing the password and timezone, enforcing HTTPS, and setting up LDAP and my inputs.   Here's my NXlog config file:   define ROOT C:\Program Files (x86)\nxlog   Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log   <Extension gelf>     Module         xm_gelf </Extension>   <Extension fileop>     Module         xm_fileop </Extension>    <Extension json>     Module      xm_json </Extension>   # Create the parse rule for IIS logs. You can copy these from the header of the IIS log file. <Extension w3c>     Module             xm_csv     Fields             $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken     FieldTypes         string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer     Delimiter         ' '     QuoteChar         '"'     EscapeControl     FALSE     UndefValue         - </Extension>   <Input iis>     Module        im_file     File        "C:\\inetpub\\logs\\LogFiles\\W3SVC12\\u_ex*"     SavePos      TRUE       Exec        if $raw_event =~ /^#/ drop();                    \                 else                                             \                 {                                                \                     w3c->parse_csv();                            \                     $EventTime = parsedate($date + " " + $time); \                     $SourceName = "IIS";                         \                     $Message = to_json();                         \                 } </Input>   <Input eventlog>     Module      im_msvistalog </Input>   <Output graylog>     Module      om_udp     Host        graylog     Port        12201     OutputType    GELF       #Use the following line for debugging (uncomment the fileop extension above as well)     Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event); </Output> #<Route eventlog> #    Path        eventlog => graylog #</Route> <Route iis-to-graylog>     Path        iis => graylog </Route>     Any assistance will be greatly appreciated.