1
response

Hi

I'm working on a setup for collecting IIS logs and send them to Graylog.
Here I stumbled into a problem with refering to fields with a dash in the field name.

I would really like the fields to have prober w3c names in greylog, so I dont wanna remove those dashes.

In the CSV module I have:

<Extension w3c>
Module xm_csv
Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken, $X-Forwarded-For
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer, string
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>

And in my input def i have:

<Input iis_dodpdownload>
Module im_file
....

Exec if $raw_event =~ /(^#)|((keepalive.html).*(\s-\s200\s0\s))/ \
{ \
drop(); \
} \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + "T" + $time + "+00:00"); \
$SourceName = "IIS"; \
$Message = $cs-method + " " + $cs-uri-stem + " " + $sc-status; \
}
</Input>

The line $Message = $cs-method + " " + $cs-uri-stem + " " + $sc-status; results in a parser error.
If I change field names to not contain dash character then it works. I also tried to surround with curly braces but it just returns a new parse error.

How can i refer to those fields/vars or escape them?

Hope someone knows:-)

Best regards, Peter Meldgaard

AskedMarch 18, 2019 - 1:41pm

Answer (1)

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#lang_fields
You can reference the fields as ${field-name}.

$Message = ${cs-method} + " " + ${cs-uri-stem} + " " + ${sc-status};
This should work.