I'm working on a setup for collecting IIS logs and send them to Graylog.
Here I stumbled into a problem with refering to fields with a dash in the field name.
I would really like the fields to have prober w3c names in greylog, so I dont wanna remove those dashes.
In the CSV module I have:
Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken, $X-Forwarded-For
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer, string
Delimiter ' '
And in my input def i have:
Exec if $raw_event =~ /(^#)|((keepalive.html).*(\s-\s200\s0\s))/ \
$EventTime = parsedate($date + "T" + $time + "+00:00"); \
$SourceName = "IIS"; \
$Message = $cs-method + " " + $cs-uri-stem + " " + $sc-status; \
The line $Message = $cs-method + " " + $cs-uri-stem + " " + $sc-status; results in a parser error.
If I change field names to not contain dash character then it works. I also tried to surround with curly braces but it just returns a new parse error.
How can i refer to those fields/vars or escape them?
Hope someone knows:-)
Best regards, Peter Meldgaard