Request trial
Request Trial

Import W3C files generates errors in logs

Tags:
#1 Austin.Downing

I am getting thousands of errors in my nxlog.log on my IIS server. Here is my config file that has been sanitized. This is a Server 2012R2 system running IIS 8.

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
Module xm_gelf
ShortMessageLength 3000
</Extension>

<Extension w3c>
    Module 			xm_csv
    Fields 			$date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
    FieldTypes 		string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
    Delimiter 		' '
    QuoteChar 		'"'
    EscapeControl 	FALSE
    UndefValue 		-
</Extension>

<Input iis1>

    Module      im_file
    File        "F:\\W3SVC1\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis2>

    Module      im_file
    File        "F:\\W3SVC2\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis3>

    Module      im_file
    File        "F:\\W3SVC3\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis4>

    Module      im_file
    File        "F:\\W3SVC4\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis5>

    Module      im_file
    File        "F:\\W3SVC5\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis6>

    Module      im_file
    File        "F:\\W3SVC6\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>

<Input iis7>

    Module      im_file
    File        "F:\\W3SVC7\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";                                         \
                }
</Input>


<Input in>
# Use 'im_mseventlog' for Windows XP, 2000 and 2003
Module im_msvistalog
# Uncomment the following to collect specific event logs only
# Query <QueryList>\
# <Query Id="0">\
# <Select Path="Application">*</Select>\
# <Select Path="System">*</Select>\
# <Select Path="Security">*</Select>\
# </Query>\
# </QueryList>
</Input>

<Output out>
Module om_udp
Host server.corp.com
Port 12201
OutputType GELF
</Output>

<Route r>
Path in => out
</Route>

<Route iis1>
Path iis1 => out
</Route>

<Route iis2>
Path iis2 => out
</Route>

<Route iis3>
Path iis3 => out
</Route>

<Route iis4>
Path iis4 => out
</Route>

<Route iis5>
Path iis5 => out
</Route>

<Route iis6>
Path iis6 => out
</Route>

<Route iis7>
Path iis7 => out
</Route>

Here are the various errors I am getting.

2018-12-06 16:26:08 ERROR if-else failed at line 43, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 43, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer "https://www.company.com/portal/Processing/Processing.aspx", invalid modifier: 'x'

2018-12-06 16:26:08 ERROR if-else failed at line 57, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 57, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Too many fields in CSV input, expected 15, got 16 in input '2018-12-06 21:26:06 W3SVC2 10.0.1.122 POST /home/name/services/Publish/Index - 80 - 10.0.0.0 - - 303 0 0 663 915 0'

2018-12-06 16:26:08 ERROR if-else failed at line 43, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 43, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer "https://www.company.com/home/", invalid modifier: '/'
Permalink
#2 Austin.Downing
#1 Austin.Downing
I am getting thousands of errors in my nxlog.log on my IIS server. Here is my config file that has been sanitized. This is a Server 2012R2 system running IIS 8. ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf ShortMessageLength 3000 </Extension> <Extension w3c> Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input iis1> Module im_file File "F:\\W3SVC1\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } </Input> <Input iis2> Module im_file File "F:\\W3SVC2\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } </Input> <Input iis3> Module im_file File "F:\\W3SVC3\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } </Input> <Input iis4> Module im_file File "F:\\W3SVC4\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } </Input> <Input iis5> Module im_file File "F:\\W3SVC5\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } </Input> <Input iis6> Module im_file File "F:\\W3SVC6\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } </Input> <Input iis7> Module im_file File "F:\\W3SVC7\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $SourceName = "IIS"; \ } </Input> <Input in> # Use 'im_mseventlog' for Windows XP, 2000 and 2003 Module im_msvistalog # Uncomment the following to collect specific event logs only # Query <QueryList>\ # <Query Id="0">\ # <Select Path="Application">*</Select>\ # <Select Path="System">*</Select>\ # <Select Path="Security">*</Select>\ # </Query>\ # </QueryList> </Input> <Output out> Module om_udp Host server.corp.com Port 12201 OutputType GELF </Output> <Route r> Path in => out </Route> <Route iis1> Path iis1 => out </Route> <Route iis2> Path iis2 => out </Route> <Route iis3> Path iis3 => out </Route> <Route iis4> Path iis4 => out </Route> <Route iis5> Path iis5 => out </Route> <Route iis6> Path iis6 => out </Route> <Route iis7> Path iis7 => out </Route> Here are the various errors I am getting. 2018-12-06 16:26:08 ERROR if-else failed at line 43, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 43, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer "https://www.company.com/portal/Processing/Processing.aspx", invalid modifier: 'x' 2018-12-06 16:26:08 ERROR if-else failed at line 57, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 57, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Too many fields in CSV input, expected 15, got 16 in input '2018-12-06 21:26:06 W3SVC2 10.0.1.122 POST /home/name/services/Publish/Index - 80 - 10.0.0.0 - - 303 0 0 663 915 0' 2018-12-06 16:26:08 ERROR if-else failed at line 43, character 430 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 43, character 239 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer "https://www.company.com/home/", invalid modifier: '/'

Looks like my awesome devs added new fields without telling me, adding the new fields they modified fixed the issue.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS