send iis log to logserver


#1 BZ_708214

hi who i can get iis web server logs and then send them to ossim log server?

#2 rafDeactivated Nxlog ✓
#1 BZ_708214
hi who i can get iis web server logs and then send them to ossim log server?

Hello,

you might want to start with Microsoft docs related to IIS log configuration. Once you have it done, you may approach the problem in several ways, for instance, you can use xm_csv to parse the result and push it anywhere you wish.

Sample nxlog.conf part for parsing might look like this - it comes from our documentation, you can find many answers there:

<Extension w3c_parser>
    Module          xm_csv
    Fields          date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, \
                    s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), \
                    sc-status, sc-substatus, sc-win32-status, time-taken
    FieldTypes      string, string, string, string, string, string, integer, \
                    string, string, string, string, integer, integer, integer, \
                    integer
    Delimiter       ' '
    EscapeChar      '"'
    QuoteChar       '"'
    EscapeControl   FALSE
    UndefValue      -
</Extension>

<Input iis_w3c>
    Module          im_file
    File            'C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log'
    <Exec>
        if $raw_event =~ /^#/ drop();
        else
        {
            w3c_parser->parse_csv();
            $EventTime = parsedate($date + "T" + $time + ".000Z");
        }
    </Exec>
</Input>

In case of sending it - I'm guessing you want to use UDP, so please, take a look at the om_udp module - docs are here.

Good luck,

Rafal