2
answers

Hello Guys,

I have a question about NXLog IIS7 W3C logs. I set NXLog up and it works basicaly but the NXLog logs are full with error messages like this:

2016-04-26 09:46:36 ERROR if-else failed at line 64, character 257 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 64, character 113 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; couldn't parse integer: language=UK&region=802&idfwbonavigation=180173.2

It look, the IIS logs contain an "=" sign in the $cs-uri-query field, and NXLog wants integer after the "=", however the field set to be string in the config file.

Have you ever met anything like this? And if yes, what could be the solution?

 

NXLog extension and input config:

<Extension exiis>
    Module        xm_csv
    Fields        $date $time $s-ip $cs-method $cs-uri-stem $cs-uri-query $s-port $cs-username $c-ip $cs(User-Agent) $cs(Cookie) $cs(Referer) $sc-status $sc-substatus $sc-win32-status $sc-bytes $cs-bytes $time-taken
    FieldTypes    string, string, string, string, string, string, integer, string, string, string, string, string, integer, integer, integer, integer, integer, integer
    Delimiter    ' '
    QuoteChar    '"'
    EscapeControl    FALSE
    UndefValue    -
</Extension>

<Input IIS>
    Module        im_file
    File        "D:\\Logs\\IIS\\W3SVC300\\u_ex*"
    SavePos        TRUE
    Recursive    FALSE
    Exec if $raw_event =~ /^#/ drop();                                                                  \
        else                                                                                                         \
        {                                                                                                              \
            exiis->parse_csv();                                                                                \
            $EventTime = parsedate($date + " " + $time);                                          \
            $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ");            \
        }
</Input>

 

AskedApril 26, 2016 - 12:20pm

Answers (2)

In similar cases the issue was that IIS did not escape the URL part and the delimiter character (space or ;) was present in the URL which caused the CSV parser to fail.

You should look at the offending line(s) causing the parser errors to confirm if that's the case.

AnsweredMay 2, 2016 - 5:18pm

Comments (1)

  • CSimpiFoN's picture

    The problem was in the Fields and FieldTypes pairing. Whit the configuration below it is working now:

     

    Fields        $date $time $s-sitename $s-ip $cs-method $cs-uri-stem $cs-uri-query $s-port $cs-username $c-ip $cs(User-Agent) $sc-status $sc-substatus $sc-win32-status $sc-bytes $cs-bytes $time-taken
    FieldTypes    string, string, string, string, string, string, string, integer, string, string, string, integer, integer, integer, integer, integer, integer

     

    Don't forget to set the fields in the IIS Logging options too.

     

    May 6, 2016 - 6:50pm

The problem was in the Fields and FieldTypes pairing. Whit the configuration below it is working now:

 

Fields        $date $time $s-sitename $s-ip $cs-method $cs-uri-stem $cs-uri-query $s-port $cs-username $c-ip $cs(User-Agent) $sc-status $sc-substatus $sc-win32-status $sc-bytes $cs-bytes $time-taken
FieldTypes    string, string, string, string, string, string, string, integer, string, string, string, integer, integer, integer, integer, integer, integer

 

Don't forget to set the fields in the IIS Logging options too.

AnsweredMay 6, 2016 - 6:50pm