responses
How would I go about statically assigning the value of x-forward-for the end of an IIS message that is being read through IM_FIle?
I am doing testing of IIS Log files and I want to take a value from an internal system and add the x-forward-for field to the message.
I have tried adding it to the Input on im_file
Exec $Message = $x_forwarded_for + ' ' + 'x.x.x.x';
I have tried it as
$raw_event = $raw_event + 'x.x.x.x'
Either the value never shows up or it ends up outside of the message. What I need is for it to be inside the message. Essentially where the time-taken is on this example message I would end up with my static x-forwarded-for entry.
#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2017-10-02 17:11:27
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2017-10-02 17:11:27 fe80::b5d8:132c:cec9:daef%6 RPC_IN_DATA /rpc/rpcproxy.dll 1d4026cb-6730-43bf-91eb-df80f41c050f@test.com:6001&CorrelationID=<empty>;&RequestId=11d6a78a-7c34-4f43-9400-ad23b114aa62&cafeReqId=11d6a78a-7c34-4f43-9400-ad23b114aa62; 80 TEST\HealthMailbox418406e fe80::b5d8:132c:cec9:daef%6 MSRPC - 500 0 0 7990
2017-10-02 17:12:57 fe80::a425:345a:7143:3b15%2 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.1715 80 - fe80::a425:345a:7143:3b15%2 Microsoft+WinRM+Client - 500 0 0 11279
Comments (1)
This section was my latest attempt to try to inject something into the message.
Exec $Message = $Message + $x-forwarded-for + ' ' + '8.8.8.8';
Here is what is currently in the config.
Panic Soft
define ROOT C:\Program Files\nxlog
ModuleDir %ROOT%\modules
CacheDir %ROOT%\data
SpoolDir %ROOT%\data
#define CERTDIR %ROOT%\cert
#define CONFDIR %ROOT%\conf
# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %ROOT%\data
define MYLOGFILE %LOGDIR%\nxlog.log
# By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This
# allows the log file location to be modified via NXLog Manager. If you
# are not using NXLog Manager, you can instead set `LogFile` below and
# disable the `include` line.
#include %CONFDIR%\log4ensics.conf
LogFile %MYLOGFILE%
Logfile %LOGDIR%\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in log4ensics.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension w3c>
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, #$c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $X-Forwarded-For
FieldTypes string, string, string, string, string, string, integer, string, string, string, #string, integer, integer, integer, string
Delimiter ' '
</Extension>
<Extension resolver>
Module xm_resolver
</Extension>
<Extension fileops>
Module xm_fileop
</Extension>
<Input in_iis>
Module im_file
File '\\viis01\c$\inetpub\logs\LogFiles\W3SVC2\u_ex*'
InputType LineBased
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
$raw_event = to_json(); \
}
Exec $Message = $Message + $x-forwarded-for + ' ' + '8.8.8.8';
</Input>
<Output out_iis>
Module om_udp
Host 192.168.10.103
Port 10130
OutputType Dgram
Exec to_syslog_bsd();
</Output>
<Route IIS>
Path in_iis => out_iis
</Route>