I have previously got smtp logs to go into Graylog using NXlog, it was worknig fine. I then had a disk sapce issue on the graylog host so had to redo some bits, including the nxlog.conf for our SMTP server.
The SMTP log header specifes the following
#Software: Microsoft Internet Information Services 8.5
#Date: 2017-03-26 23:00:10
#Fields: date time c-ip cs-username s-sitename s-computername s-port cs-method cs-uri-query sc-bytes time-taken
This is the error I am getting
ERROR if-else failed at line 44, character 436 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 44, character 224 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 11, got 8 in input
I ahve checked and rechecked and their should be 11 items as per the .conf.
define ROOT C:\Program Files (x86)\nxlog
# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
Fields $date, $time, $c-ip, $cs-username, $s-sitename, $s-computername, $s-port, $cs-method, $cs-uri-query, $sc-bytes, $time-taken
FieldTypes string, string, string, string, string, string, integer, string, string, integer, integer
Delimiter ' '
Exec if $raw_event =~ /^#/ drop(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "smtp"; \
$Message = to_json(); \
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
Path eventlog => graylog
Path smtp => graylog
Its so frustracting that I know this was working correctly.
Any help would be great.