responses
Hello,
I currently am sending ms eventlogs from a server to our syslog server, and this is working fine. So I wanted to add to the nxlog conf file to allow it to collect the IIS W3C logs from this server as well and send them to the syslog server. A lot of the support examples out there added scripting to parse the w3c logs to json format. I do not want to do this. Just need to the raw logs to go to our syslog server. Below is my conf file. I'd appreciate pointers and/or the pointing out of errors.
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Extension w3c>
Module xm_csv
Fields $date, $time, $s-sitename, $s-computername, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs-version, $cs_User_Agent, $cs(Cookie), $cs_Referer, $cs-host, $sc_status, $sc_substatus, $sc_win32_status, $sc-bytes, $cs-bytes, $time_taken
FieldTypes string, string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer, integer, integer, integer, integer, integer
Delimiter ' '
</Extension>
<Input EventLogs>
Module im_msvistalog
</Input>
<Input IIS>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
SavePos TRUE
UndefValue -
</Input>
<Output Syslog>
Module om_udp
Host 172.16.x.x
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path EventLogs, IIS => Syslog
</Route>
Comments (11)
im_filewill put the data into$raw_event.$raw_event. It uses the fields mentioned in the documentation for that. If missing, you'll see anN/Ainstead as the Snare format was designed for the windows eventlog.Obviously you need to tweak the config in order for the two to play nice.
Pages