0
responses

Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the IIS logs either.
I attach the implemented configuration file:

Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules
#CacheDir %INSTALLDIR%\data
#SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert
define CONFDIR %INSTALLDIR%\conf\nxlog.d

# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%\data
define MYLOGFILE %LOGDIR%\nxlog.log

# If you are not using NXLog Manager, disable the `include` line
# and enable LogLevel and LogFile.
#include %CONFDIR%\*.conf

LogLevel INFO
LogFile %MYLOGFILE%

<Extension gelf>
Module xm_gelf
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in managed.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>

<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
<Select Path="Microsoft-IIS-Logging/Logs">*</Select>\
</Query>\
</QueryList>
</Input>

<Input iis_w3c>
Module im_file
File "X:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex*.log"
SavePos TRUE
InputType LineBased

Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c_parser->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
$SourceName = "IIS"; \
$SiteName = "Test"; \
$Message = to_json(); \
}
</Input>

<Output udp>
Module om_udp
Host XXX.XXX.XXX.XXX --> my_graylog_server
Port XXXX --> port
OutputType GELF_UDP
Exec to_syslog_bsd();
# Exec log_info("sending data: " + $raw_event);
</Output>

<Route eventlog_to_udp_win>
Path eventlog => udp
</Route>

<Route iis_w3c_to_udp_iis>
Path iis_w3c => udp
</Route>

AskedAugust 6, 2021 - 8:12pm

Answers (0)