Let's Talk Start free
Let's Talk Start free

NXlog IIS log Shipping issues

Tags: graylog iis
#1 remedy73

I am trying to use NXlog to ship Event Logs and IIS logs to Graylog. No matter what I do in NXlog the IIS log timestamp in Graylog is the same as the EventReceivedTime. However, the Event Log timestamps are correct. Here is a link to my config on pastebin. All the configs I found on Google set the EventTime the same way. See anything wrong?


$EventTime = parsedate($date + " " + $time); \

I tried doing a WireShark capture to see what the difference was. NXlog compresses the data before sending it. I haven't taken the time to learn how to uncompressit. I also tried setting the timestamp manually. That didn't work either...


$timestamp = integer(parsedate($date + " " + $time))/1000; \
Permalink
#2 admDeactivated Nxlog ✓
#1 remedy73
I am trying to use NXlog to ship Event Logs and IIS logs to Graylog. No matter what I do in NXlog the IIS log timestamp in Graylog is the same as the EventReceivedTime. However, the Event Log timestamps are correct. Here is a link to my config on pastebin. All the configs I found on Google set the EventTime the same way. See anything wrong? $EventTime = parsedate($date + " " + $time); \ I tried doing a WireShark capture to see what the difference was. NXlog compresses the data before sending it. I haven't taken the time to learn how to uncompressit. I also tried setting the timestamp manually. That didn't work either... $timestamp = integer(parsedate($date + " " + $time))/1000; \

GELF_UDP is zlib compressed. You can use GELF_TCP with om_tcp, this is not compressed.

The timestamp field in the GELF packet is set from the value of EventTime, if this is undef then EventReceivedTime is used. I guess parsedate($date + " " + $time); fails and returns undef. You should debug that further.

 
Login to see more