1
answer

When attempting to input IIS logs I see the following error: 'ERROR invalid keyword: w3c->parse_csv()'. Has anyone come across this before and knows how I can parse IIS log into a JSON format to input to redis
my config

<Extension _exec>
Module xm_exec
</Extension>

<Extension _json>
Module xm_json
</Extension>

<Extension _csv>
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs(User_Agent), $cs(Referer), $sc_status, $sc_substatus, $sc_win32_status, $time_taken
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer
</Extension>

<Extension w3c>
Module xm_csv
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs(User_Agent), $cs(Referer), $sc_status, $sc_substatus, $sc_win32_status, $time_taken
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer
Delimiter ' '
QuoteChar '''
</Extension>

<Extension w3cinput>
Module xm_w3c
Delimiter ' '
</Extension>

<Input iis_logs>
Module im_file
File "C:\inetpub\logs\W3SVC2\u_ex*.log"
ReadFromLast True
Recursive True
SavePos True
Exec if $raw_event =~ /^#/ drop(); \
else \
{
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
to_json(); \
}
</Input>

<output out_iis>
Module om_redis
Host #
Port #
Key "iis"
</Output>

<Route 1>
Path iis_logs => out_iis
</Route>

AskedJuly 30, 2018 - 5:06pm

Answer (1)

It's because there is a missing newline escape \ after the curly bracket {.

You should either put \ at the end of each line when using Exec or use <Exec> without the backslashes.

AnsweredJuly 30, 2018 - 5:21pm