Sending IIS W3C to Syslog | Log collection solutions

#1 jmeyers 5 years ago

Hello,

I currently am sending ms eventlogs from a server to our syslog server, and this is working fine. So I wanted to add to the nxlog conf file to allow it to collect the IIS W3C logs from this server as well and send them to the syslog server. A lot of the support examples out there added scripting to parse the w3c logs to json format. I do not want to do this. Just need to the raw logs to go to our syslog server. Below is my conf file. I'd appreciate pointers and/or the pointing out of errors.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension syslog> Module xm_syslog </Extension> <Extension w3c> Module xm_csv Fields $date, $time, $s-sitename, $s-computername, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs-version, $cs_User_Agent, $cs(Cookie), $cs_Referer, $cs-host, $sc_status, $sc_substatus, $sc_win32_status, $sc-bytes, $cs-bytes, $time_taken FieldTypes string, string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer, integer, integer, integer, integer, integer Delimiter ' ' </Extension>

<Input EventLogs> Module im_msvistalog </Input> <Input IIS> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*" SavePos TRUE UndefValue - </Input>

<Output Syslog> Module om_udp Host 172.16.x.x Port 514 Exec to_syslog_snare(); </Output>

<Route 1> Path EventLogs, IIS => Syslog </Route>

Permalink

#2 Zhengshi Nxlog ✓ 5 years ago

#1 jmeyers

Hello, I currently am sending ms eventlogs from a server to our syslog server, and this is working fine. So I wanted to add to the nxlog conf file to allow it to collect the IIS W3C logs from this server as well and send them to the syslog server. A lot of the support examples out there added scripting to parse the w3c logs to json format. I do not want to do this. Just need to the raw logs to go to our syslog server. Below is my conf file. I'd appreciate pointers and/or the pointing out of errors. define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Extension w3c> Module xm_csv Fields $date, $time, $s-sitename, $s-computername, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs-version, $cs_User_Agent, $cs(Cookie), $cs_Referer, $cs-host, $sc_status, $sc_substatus, $sc_win32_status, $sc-bytes, $cs-bytes, $time_taken FieldTypes string, string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer, integer, integer, integer, integer, integer Delimiter ' ' </Extension> <Input EventLogs> Module im_msvistalog </Input> <Input IIS> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*" SavePos TRUE UndefValue - </Input> <Output Syslog> Module om_udp Host 172.16.x.x Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path EventLogs, IIS => Syslog </Route>

While you are troubleshooting, the NXLog log file and the configuration verify option is useful (-v).

C:\Program Files\nxlog>nxlog.exe -f -v -c conf/test.conf
2018-07-10 11:59:36 ERROR module 'Syslog' is already defined at conf/test.conf:30

C:\Program Files\nxlog>nxlog.exe -f -v -c conf/test.conf
2018-07-10 12:00:09 ERROR invalid keyword: UndefValue at conf/test.conf:26

For the first error I change <Extension syslog> to <Extension _syslog>.
For the second error, UndefValue is a property of xm_csv and im_file does not use it.

I would start here and move forward. Note that there are some examples in the manual that do not convert to JSON. Might browse through and see if something there helps as well.
https://nxlog.co/documentation/nxlog-user-guide#iis