1
response

Hi,

My working nxlog.conf relies on Query directives aimed at explicitly named Channels together with the im_msvistalog Module.

<Input blu_eventlog_iis>
Module im_msvistalog

Query <QueryList>\
<Query Id="0">\
<Select Path="Microsoft-IIS-Configuration/Administrative">*</Select>\
<Select Path="Microsoft-IIS-Configuration/Operational">*</Select>\
<Select Path="Microsoft-IIS-Logging/Logs">*</Select>\
</Query>\
</QueryList>

# Filter noise from IIS schema issues
Exec if ($Message =~ /Unable to find schema/) drop();

# Workaround for local time so as to standardize to absolute microseconds since epoch
Exec $EventTime = integer($EventTime);

# JSON is required because some Windows logs contain new-line characters.
Exec $Message = to_json();
</Input>

<Output blu_out_eventlog_iis>
Module om_tcp
Host %SIEM%
Port %PORT%

Exec to_syslog_bsd();
</Output>

<Route route_eventlog_iis>
Path blu_eventlog_iis => blu_out_eventlog_iis
</Route>

I hoped to clean up some 15007 errors in the nxlog.log files included below:

2020-07-06 14:42:55 ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.

I suspect the 15007 errors are being generated because IIS isn't setup. In other words, the named IIS Channels are queried but not found.

Is it possible to add an If/Else statement as part of those Query directives? Looking over the NXlog CE Manual I only see If/Else statement used with Exec. Any guidance would be greatly appreciated!

AskedJuly 6, 2020 - 9:07pm

Answer (1)