1
response

Good Afternoon. I was hoping someone may be able to assist me with an issue I am having sending my logs from IIS in W3C format to Graylog. The W3C time is by default in UTC. When NXlog is sending the logs to my graylog server it is sending logs that are already 4 hours old because I am in EST, but the IIS logs are in UTC. Is there something I can do in the configuration so NXlog is shipping current logs?

<Extension w3c>
Module xm_csv
Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, string, string, string, string, integer
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>

<Input iis>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\\\u_ex*"
SavePos TRUE

Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "Server"; \
$Message = to_json(); \
}
</Input>

Thanks in advance.

AskedMarch 19, 2019 - 8:19pm

Answer (1)

You have a couple options, I think. One option is to change the output of the timestamp in the IIS config.

If you can not do this, you can try one of the suggestions in the Adjusting Timestamps chapter in the manual.
https://nxlog.co/documentation/nxlog-user-guide/timestamps.html#adjusting-timestamps