10
responses
responses
adam
Hello, I want to send IIS W3C logs to the Syslog server. The nxlog.conf file is as follows. If we assume that there are too many domains on the server, I want to quickly create this config file with powershell. Is this possible?
In this configuration file, I can define the website and log directories manually. This is true, but it may be easier to add website and log directories by creating a "dynamically" config file.
When I add a wildcard "*" instead of website-name and folders with site ids such as W3SVC10, W3SVC11, no log is sent to the syslog server.
# Domain list:
Get-ChildItem C:\inetpub\vhosts -Directory -Exclude .skel,default,forwarding,Servers,sitebuilder,webmail | ForEach-Object {$_.Name}
# Log Directories Path:
Get-Website domain1.org | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" }
Get-Website domain2.net | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" }
If we can do this with an alternative method, it is not necessary to do it with powershell. Do you have any suggestions?
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
# Watch your IIS log files
<Input domain1.org>
Module im_file
File 'C:\Inetpub\vhosts\domain1.org\logs\iis\W3SVC8\u_ex*.log'
SavePos TRUE
Recursive TRUE
Exec $Message = $raw_event;
</Input>
# Watch your IIS log files
<Input domain2.net>
Module im_file
File 'C:\Inetpub\vhosts\domain2.net\logs\iis\W3SVC9\u_ex*.log'
SavePos TRUE
Recursive TRUE
Exec $Message = $raw_event;
</Input>
# Watch your IIS log files
<Input domain3.com>
Module im_file
File 'C:\Inetpub\vhosts\domain3.com\logs\iis\W3SVC10\u_ex*.log'
SavePos TRUE
Recursive TRUE
Exec $Message = $raw_event;
</Input>
# Watch your IIS log files
<Input domain4.ru>
Module im_file
File 'C:\Inetpub\vhosts\domain4.ru\logs\iis\W3SVC11\u_ex*.log'
SavePos TRUE
Recursive TRUE
Exec $Message = $raw_event;
</Input>
# Watch your IIS log files
<Input domain5.de>
Module im_file
File 'C:\Inetpub\vhosts\domain5.de\logs\iis\W3SVC12\u_ex*.log'
SavePos TRUE
Recursive TRUE
Exec $Message = $raw_event;
</Input>
# Watch your IIS log files
<Input domain6.nl>
Module im_file
File 'C:\Inetpub\vhosts\domain6.nl\logs\iis\W3SVC13\u_ex*.log'
SavePos TRUE
Recursive TRUE
Exec $Message = $raw_event;
</Input>
<Output out>
Module om_udp
Host 8.8.4.4
Port 514
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();
# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
<Route 1>
Path internal, domain1.org, domain2.net, domain3.com, domain4.ru, domain5.de, domain6.nl => out
</Route>
Comments (9)
Hi Raf,
If I cannot use wildcard characters, will it work for logs created for addresses such as "domain1.org, domain2.net, domain4.ru"?
C:\Program Files (x86)\nxlog\conf\nxlog.conf
if we use the nxlog config file as you suggest
==========================================================
==========================================================
*** I see errors like this in the nxlog.log file.
C:\Program Files (x86)\nxlog\data\nxlog.log
Hi Adam,
I'm sorry - apparently, I've posted an incomplete line. It should be something like this:
Let me know if that works for you.
Best,
Rafal
Hi Raf,
I also tried the format you sent last before responding. I am currently only posting logs for the domain1.org website. There is no problem for domain1.org.
Other domains do not send any new logs to the Log server. domain2.net, domain3.com, domain4.ru etc.
Hmm, that's weird. Are we sure those domains actually generate domains in this root?
Are the privileges set right?
Do those files exist during the start of the NXLog agent process?
Could you set your LogLevel to this and check if there's anything useful?
LogLevel DEBUGRegards,
Rafal
Hi, These files and folders exist from the very beginning. We do not give any special permissions for any domain. You may know that we create these webpages with the PLESK control panel. So what permissions domain1.org has, other domains are domain2.net, domain3.com, etc. It is being created as a new website with the same permissions.
NXLOG config file is as follows
The file and folder list is as follows.
Adam,
And have you tried to change the LogLevel and see the info?
Best regards,
Rafal
I added the "LogLevel DEBUG" line to the nxlog.conf file. Can you please check?
I am sending a log for domain1.org. There is no problem, but unfortunately no new log is sent for other domains (such as domain2.net, domain3.com etc.)
Oh, sure, I've just given an example, obviously, this won't change the directory.
More precisely, you may try this:
File 'C:\\Inetpub\vhosts\u_ext*.log'Best regards,
Rafal
Hello Raf, In this way, domain1.org, domain2.net, domain3.com etc. I was able to post the logs of all sites to the Graylog server. Thanks dude. If it wasn't for you, I would have given up on this job. Thank you very much for your help. You are great!