How would I go about statically assigning the value of x-forward-for the end of an IIS message that is being read through IM_FIle?

I am doing testing of IIS Log files and I want to take a value from an internal system and add the x-forward-for field to the message.

I have tried adding it to the Input on im_file

Exec $Message = $x_forwarded_for + ' ' + 'x.x.x.x';

I have tried it as

$raw_event = $raw_event + 'x.x.x.x'

Either the value never shows up or it ends up outside of the message. What I need is for it to be inside the message. Essentially where the time-taken is on this example message I would end up with my static x-forwarded-for entry.

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2017-10-02 17:11:27
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2017-10-02 17:11:27 fe80::b5d8:132c:cec9:daef%6 RPC_IN_DATA /rpc/rpcproxy.dll 1d4026cb-6730-43bf-91eb-df80f41c050f@test.com:6001&CorrelationID=<empty>;&RequestId=11d6a78a-7c34-4f43-9400-ad23b114aa62&cafeReqId=11d6a78a-7c34-4f43-9400-ad23b114aa62; 80 TEST\HealthMailbox418406e fe80::b5d8:132c:cec9:daef%6 MSRPC - 500 0 0 7990
2017-10-02 17:12:57 fe80::a425:345a:7143:3b15%2 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.1715 80 - fe80::a425:345a:7143:3b15%2 Microsoft+WinRM+Client - 500 0 0 11279

AskedNovember 3, 2020 - 2:38pm

Answer (1)


Could you share your full conf file? It's gonna be easier to follow your approach & fix you issue.



Comments (1)

  • kmschramm's picture

    This section was my latest attempt to try to inject something into the message.

    Exec $Message = $Message + $x-forwarded-for + ' ' + '';

    Here is what is currently in the config.

    Panic Soft

    define ROOT C:\Program Files\nxlog

    ModuleDir %ROOT%\modules
    CacheDir %ROOT%\data
    SpoolDir %ROOT%\data

    #define CERTDIR %ROOT%\cert
    #define CONFDIR %ROOT%\conf

    # Note that these two lines define constants only; the log file location
    # is ultimately set by the `LogFile` directive (see below). The
    # `MYLOGFILE` define is also used to rotate the log file automatically
    # (see the `_fileop` block).

    define LOGDIR %ROOT%\data
    define MYLOGFILE %LOGDIR%\nxlog.log

    # By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This
    # allows the log file location to be modified via NXLog Manager. If you
    # are not using NXLog Manager, you can instead set `LogFile` below and
    # disable the `include` line.
    #include %CONFDIR%\log4ensics.conf

    LogFile %MYLOGFILE%
    Logfile %LOGDIR%\nxlog.log

    <Extension _syslog>
    Module xm_syslog

    # This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
    # is changed in log4ensics.conf via NXLog Manager, rotation of the new
    # file should also be configured there.

    <Extension _fileop>
    Module xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    Every 1 hour
    if ( file_exists('%MYLOGFILE%') and
    (file_size('%MYLOGFILE%') >= 5M) )
    file_cycle('%MYLOGFILE%', 8);

    # Rotate our log file every week on Sunday at midnight
    When @weekly
    Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);

    <Extension json>
    Module xm_json

    <Extension w3c>
    Module xm_csv
    Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, #$c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $X-Forwarded-For
    FieldTypes string, string, string, string, string, string, integer, string, string, string, #string, integer, integer, integer, string
    Delimiter ' '


    <Extension resolver>
    Module xm_resolver

    <Extension fileops>
    Module xm_fileop

    <Input in_iis>
    Module im_file
    File '\\viis01\c$\inetpub\logs\LogFiles\W3SVC2\u_ex*'
    InputType LineBased
    SavePos TRUE
    Exec if $raw_event =~ /^#/ drop(); \
    else \
    { \
    w3c->parse_csv(); \
    $EventTime = parsedate($date + " " + $time); \
    $SourceName = "IIS"; \
    $raw_event = to_json(); \
    Exec $Message = $Message + $x-forwarded-for + ' ' + '';

    <Output out_iis>
    Module om_udp
    Port 10130
    OutputType Dgram
    Exec to_syslog_bsd();

    <Route IIS>
    Path in_iis => out_iis