Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the IIS logs either.
I attach the implemented configuration file:

Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules
#CacheDir %INSTALLDIR%\data
#SpoolDir %INSTALLDIR%\data

define CONFDIR %INSTALLDIR%\conf\nxlog.d

# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define MYLOGFILE %LOGDIR%\nxlog.log

# If you are not using NXLog Manager, disable the `include` line
# and enable LogLevel and LogFile.
#include %CONFDIR%\*.conf

LogLevel INFO

<Extension gelf>
Module xm_gelf

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32

<Extension _json>
Module xm_json

<Extension syslog>
Module xm_syslog

# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in managed.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
Every 1 hour
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
file_cycle('%MYLOGFILE%', 8);

# Rotate our log file every week on Sunday at midnight
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);

<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
<Select Path="Microsoft-IIS-Logging/Logs">*</Select>\

<Input iis_w3c>
Module im_file
File "X:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex*.log"
SavePos TRUE
InputType LineBased

Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c_parser->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
$SourceName = "IIS"; \
$SiteName = "Test"; \
$Message = to_json(); \

<Output udp>
Module om_udp
Host XXX.XXX.XXX.XXX --> my_graylog_server
Port XXXX --> port
OutputType GELF_UDP
Exec to_syslog_bsd();
# Exec log_info("sending data: " + $raw_event);

<Route eventlog_to_udp_win>
Path eventlog => udp

<Route iis_w3c_to_udp_iis>
Path iis_w3c => udp

AskedAugust 6, 2021 - 8:12pm

Comments (1)

  • carlos.caro's picture

    Hi Bernardo,

    The configuration that you have provided appears to have issues, the xm_csv extension module should be loaded by the Extension block with specific directives to provide the parse_csv() procedure which you can use for parsing the records.

    For further information, please refer to Example 435. Collecting W3C format logs with xm_csv in 93. Microsoft IIS section available from our documentation.


Answers (0)