0
answers

I am getting thousands of errors in my nxlog.log on my IIS server. Here is my config file that has been sanitized. This is a Server 2012R2 system running IIS 8.

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
Module xm_gelf
ShortMessageLength 3000
</Extension>

<Extension w3c>
    Module          xm_csv
    Fields          $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
    FieldTypes      string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
    Delimiter       ' '
    QuoteChar       '"'
    EscapeControl   FALSE
    UndefValue      -
</Extension>

<Input iis1>

    Module      im_file
    File        "F:\\W3SVC1\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis2>

    Module      im_file
    File        "F:\\W3SVC2\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis3>

    Module      im_file
    File        "F:\\W3SVC3\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis4>

    Module      im_file
    File        "F:\\W3SVC4\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis5>

    Module      im_file
    File        "F:\\W3SVC5\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis6>

    Module      im_file
    File        "F:\\W3SVC6\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis7>

    Module      im_file
    File        "F:\\W3SVC7\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>


<Input in>
# Use 'im_mseventlog' for Windows XP, 2000 and 2003
Module im_msvistalog
# Uncomment the following to collect specific event logs only
# Query <QueryList>\
# <Query Id="0">\
# <Select Path="Application">*</Select>\
# <Select Path="System">*</Select>\
# <Select Path="Security">*</Select>\
# </Query>\
# </QueryList>
</Input>

<Output out>
Module om_udp
Host server.corp.com
Port 12201
OutputType GELF
</Output>

<Route r>
Path in => out
</Route>

<Route iis1>
Path iis1 => out
</Route>

<Route iis2>
Path iis2 => out
</Route>

<Route iis3>
Path iis3 => out
</Route>

<Route iis4>
Path iis4 => out
</Route>

<Route iis5>
Path iis5 => out
</Route>

<Route iis6>
Path iis6 => out
</Route>

<Route iis7>
Path iis7 => out
</Route>

Here are the various errors I am getting.

2018-12-06 16:26:08 ERROR if-else failed at line 43, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 43, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer "https://www.company.com/portal/Processing/Processing.aspx", invalid modifier: 'x'

2018-12-06 16:26:08 ERROR if-else failed at line 57, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 57, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Too many fields in CSV input, expected 15, got 16 in input '2018-12-06 21:26:06 W3SVC2 10.0.1.122 POST /home/name/services/Publish/Index - 80 - 10.0.0.0 - - 303 0 0 663 915 0'

2018-12-06 16:26:08 ERROR if-else failed at line 43, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 43, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer "https://www.company.com/home/", invalid modifier: '/'
AskedDecember 7, 2018 - 2:18pm

Comments (2)

  • Austin Downing's picture

    Looks like my awesome devs added new fields without telling me, adding the new fields they modified fixed the issue.

    December 7, 2018 - 4:49pm
  • b0ti's picture
    (NXLog)

    FYI, the xm_w3c module that comes with the NXLog Enterprise Edition can automatically detect the fields to prevent such situations.

    December 7, 2018 - 7:59pm

Answers (0)