Exclude requests for web sockets from IIS logs

#1 V_Vorobey 7 years ago

I have

<Extension w3c>
   Module           xm_csv
   Fields           $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
   FieldTypes       string, string, string, string, string, string, integer, string, string, string, string, string, integer, integer, integer, integer
   Delimiter       ' '
   QuoteChar       '"'
   EscapeControl   FALSE
   UndefValue       -
</Extension>

And i have

<Input iis>
Module           im_file
   File           "C:\\inetpub\\logs\\LogFiles\\u_ex*.log"
   SavePos           TRUE
   Exec \
                   if $raw_event =~ /^#/ drop(); \
                   else \
                       { \
                           w3c->parse_csv(); \
                           $EventTime = parsedate($date + " " + $time); \
                           $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
                           $SourceName = "IIS"; \
                       }
</Input>

When im trying to add something like if $raw_event =~ /^#/ or $sc-status == 101 drop(); \

I am getting error in log like that:

couldn't parse statement at line 91, character 46 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error, unexpected -, expecting (

I have tried to use similar options, but it doesnt works.

What im doing wrong, help me please. Thanks.

Permalink

#2 b0ti Nxlog ✓ 7 years ago

#1 V_Vorobey

I have <Extension w3c> Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $time-taken FieldTypes string, string, string, string, string, string, integer, string, string, string, string, string, integer, integer, integer, integer Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> And i have <Input iis> Module im_file File "C:\\inetpub\\logs\\LogFiles\\u_ex*.log" SavePos TRUE Exec \ if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \ $SourceName = "IIS"; \ } </Input> When im trying to add something like if $raw_event =~ /^#/ or $sc-status == 101 drop(); \ I am getting error in log like that: couldn't parse statement at line 91, character 46 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error, unexpected -, expecting ( I have tried to use similar options, but it doesnt works. What im doing wrong, help me please. Thanks.

Unfortunately the minus sign '-' confuses the config parser as that is treated as an operator.

Your options are:

1. With the NXLog EE you can reference a field name containing special characters with curly braces:

${sc-status}

This enhancement should appear in the next NXLog CE release also, but it is not supported currently.

2. Avoid using the '-' sign in field names and use underscore instead:

Fields            $date, $time, $s_ip, $cs_method, $cs_uri_stem, ...