Request trial
Request Trial

NXLog is logging dominname instead of hostname

Tags:
#1 NP_278933

I have three different sites and configured nxlog to push logs to graylog.Below is my config.In one server hostname is getting in NXLOG but in other server with same NXLOG config and same IIS config Domain Name is getting captured instead of hostname.Both servers having same O.S windows server 2012 R2.

Any help would be greatly appreciated here

#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
Module xm_exec
</Extension>

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and

(file_size('%LOGFILE%') >= 5M))

file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>

#######################################################################
#### EXTENTIONS #####
#######################################################################

<Extension _gelf>
Module xm_gelf
</Extension>

<Extension _json>
Module xm_json
</Extension>

#######################################################################
#### IIS NXLOG ######
#######################################################################

<Extension w3c>
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken, $x-forwarded-for
FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>

<Input pr-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC3\u_ex*"
SavePos TRUE

Exec if $raw_event =~/^#/ drop();

else

{

w3c->parse_csv();

$EventTime = parsedate($date + " " + $time);

$EventTime = parsedate($date + " " + $time + "Z");

$SourceName = "PR-IIS";

$raw_event = to_json();

}
</Input>

<Input pp1-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
SavePos TRUE

Exec if $raw_event =~/^#/ drop();

else

{

w3c->parse_csv();

$EventTime = parsedate($date + " " + $time);

$EventTime = parsedate($date + " " + $time + "Z");

$SourceName = "PP1-IIS";

$raw_event = to_json();

}
</Input>

<Input pp2-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*"
SavePos TRUE

Exec if $raw_event =~/^#/ drop();

else

{

w3c->parse_csv();

$EventTime = parsedate($date + " " + $time);

$EventTime = parsedate($date + " " + $time + "Z");

$SourceName = "PP2-IIS";

$raw_event = to_json();

}
</Input>

<Output graylog>
Module om_udp
Host x.x.x.x
Port xxxx
OutputType GELF

Exec $Hostname = hostname_fqdn();
Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event);
</Output>

<Route iis-to-graylog>
Path pr-iis => graylog
</Route>

<Route iis-to-graylog>
Path pp1-iis => graylog
</Route>

<Route iis-to-graylog>
Path pp2-iis => graylog
</Route>
#######################################################################
#### /IIS NXLOG #####
#######################################################################












Permalink
#2 rafDeactivated Nxlog ✓
#1 NP_278933
I have three different sites and configured nxlog to push logs to graylog.Below is my config.In one server hostname is getting in NXLOG but in other server with same NXLOG config and same IIS config Domain Name is getting captured instead of hostname.Both servers having same O.S windows server 2012 R2. Any help would be greatly appreciated here #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and (file_size('%LOGFILE%') >= 5M)) file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule> </Extension> ####################################################################### #### EXTENTIONS ##### ####################################################################### <Extension _gelf> Module xm_gelf </Extension> <Extension _json> Module xm_json </Extension> ####################################################################### #### IIS NXLOG ###### ####################################################################### <Extension w3c> Module xm_csv Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken, $x-forwarded-for FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input pr-iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC3\u_ex*" SavePos TRUE Exec if $raw_event =~/^#/ drop(); else { w3c->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = parsedate($date + " " + $time + "Z"); $SourceName = "PR-IIS"; $raw_event = to_json(); } </Input> <Input pp1-iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*" SavePos TRUE Exec if $raw_event =~/^#/ drop(); else { w3c->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = parsedate($date + " " + $time + "Z"); $SourceName = "PP1-IIS"; $raw_event = to_json(); } </Input> <Input pp2-iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*" SavePos TRUE Exec if $raw_event =~/^#/ drop(); else { w3c->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = parsedate($date + " " + $time + "Z"); $SourceName = "PP2-IIS"; $raw_event = to_json(); } </Input> <Output graylog> Module om_udp Host x.x.x.x Port xxxx OutputType GELF Exec $Hostname = hostname_fqdn(); Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event; #Use the following line for debugging (uncomment the fileop extension above as well) #Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event); </Output> <Route iis-to-graylog> Path pr-iis => graylog </Route> <Route iis-to-graylog> Path pp1-iis => graylog </Route> <Route iis-to-graylog> Path pp2-iis => graylog </Route> ####################################################################### #### /IIS NXLOG ##### #######################################################################

Hello,

If you're using exactly the same NXLog CE config on each machine, and only one differs in what you can find in your logs, it is most likely your results are related to your Windows configuration rather than NXLog itself.

Could you confirm that all your settings (besides the obvious differences between host-specific options) are the same across all of you machines?

Best regards,
Rafal
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS