1
answer



I am trying to use NXlog to ship Event Logs and IIS logs to Graylog. No matter what I do in NXlog the IIS log timestamp in Graylog is the same as the EventReceivedTime. However, the Event Log timestamps are correct. Here is a link to my config on pastebin. All the configs I found on Google set the EventTime the same way. See anything wrong?


$EventTime = parsedate($date + " " + $time); \


I tried doing a WireShark capture to see what the difference was. NXlog compresses the data before sending it. I haven't taken the time to learn how to uncompressit. I also tried setting the timestamp manually. That didn't work either...


$timestamp = integer(parsedate($date + " " + $time))/1000; \


AskedOctober 15, 2015 - 4:20pm

Answer (1)

GELF_UDP is zlib compressed. You can use GELF_TCP with om_tcp, this is not compressed.

The timestamp field in the GELF packet is set from the value of EventTime, if this is undef then EventReceivedTime is used. I guess parsedate($date + " " + $time); fails and returns undef. You should debug that further.

 

AnsweredOctober 15, 2015 - 8:02pm

Comments (2)

  • remedy73's picture

    I don't know believe it is undefined. I have added the folowing to fields to test with. $TestTime has lost the milisecond percission, so the type is DateTime I believe.

    $TestTime = parsedate($date + " " + $time); \
    $TestTime2 = $date + " " + $time; \

    Values in Graylog:

    TestTime = 2015-10-15 20:09:07
    TestTime2 = 2015-10-15 20:09:07.835

     

    October 15, 2015 - 10:16pm
  • remedy73's picture

    I fixed this. It just needed a Z added to the end of the string.

     

    $EventTime = parsedate($date + " " + $time + "Z"); \

    October 16, 2015 - 1:15am