This is so strange, I was looking at the previous questions regarding the type of failure and we're seeing it too, but not related to IIS logs but ftp logs. Here I'll include a sample of the logs and part of the config.

2018-07-25 12:42:02 ERROR if-else failed at line 449, character 236 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 449, character 90 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 12, got 1 in input 'java.lang.NullPointerException' 2018-07-25 12:42:02 ERROR if-else failed at line 449, character 236 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 449, character 90 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 12, got 8 in input '20180725 12:42:01 ERROR Exception Caught in channel 1189859467: ' 2018-07-25 12:42:02 ERROR if-else failed at line 449, character 236 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 449, character 90 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 12, got 5 in input 'java.net.ConnectException: Connection refused: connect: /xx.xx.xx.xx:22'

Windows FTP events log:

<Input FTP_Logs> Module im_file File "D:\GAMFT\logs\goanywhere_*" SavePos TRUE

Exec if $raw_event =~/^#|(\s+at\s+)/ drop();\
   else\
   {\
        w3c_ftp->parse_csv();\
              $EventTime = parsedate($date + " " + $time);\
              $SourceName = "WINFTP";\
        $raw_event = to_json();\
   }

the config looks right too me. Suggestions?