Domain name in source field

We have setup NX log in four IIS servers and 3 servers sending the correct logs to Graylog.One of the app server sending domain name instead of hostname where as rest all three servers sending hostname .Looking for a solution .

Appreciate your help on this.Thanks in advance

Hello && Welcome
On your nxlog configuration file you may need to add this configuration.

    Exec $Hostname = hostname_fqdn();
    Exec $FullMessage = $raw_event;
    #Exec        to_syslog_snare();
</Output>

This may depend on what type of INPUT your using. If you have a DNS server double check your
pointer record (PTR for short) for the server in question.

Hello Smith,

Thank you for your reply,

I have updated the configuration as given still getting source as domain name.

Please find the attached screenshot of log and nxlog config for your reference.![graylogscreenshot|690x394]

nxlogconf1364×2380 133 KB

Please find the graylog screesnhot as well

graylogscreenshot1790×1024 104 KB

Hello,

How about this ill show you what I have and you can make the correction. Because my glasses are not that strong and those screen shot’s is hard to see

Here is my NXLOG config

## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log


Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _fileop>
    Module xm_fileop
    # Check the log file size every hour and rotate if larger than 5 MB
    <Schedule>
        Every 1 hour
        <Exec>
            if (file_exists('%LOGFILE%') and file_size('%LOGFILE%') >= 5M)
                file_cycle('%LOGFILE%', 8);
        </Exec>
    </Schedule>
    # Rotate log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

<Extension gelf>
    Module      xm_gelf
 </Extension>

<Input in>
    Module      im_msvistalog    
</Input>

<Output out>
    Module         	 om_udp 
    Host         	 graylog.doamin.com
    Port        	 51412
    OutputType  	 GELF_UDP     
    Exec $Hostname = hostname_fqdn();
    Exec $FullMessage = $raw_event;
    #Exec        to_syslog_snare();
</Output>

<Route >
    Path        in => out
</Route>

This is what I receive.

image1744×657 28.2 KB

hope that helps

EDIT: Just a suggestion your nxlog file you should organize it a little better , for example Keep all your Extension/s together normally right below you log rotation, INPUTS next… Then your Output and last on the bottom of the file is your route. This will help you later and others looking at it

Here is nxlog config , we are expecting hostname.dominname but we are getting IIS site name in place of source field and trying to find out root cause

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>

#######################################################################

EXTENTIONS

#######################################################################

#######################################################################

IIS NXLOG

#######################################################################

Exec if $raw_event =~/^#/ drop();\
   else\
   {\
    w3c->parse_csv();\
    $EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
    $SourceName = "PP-IIS";\
$raw_event = to_json();\
   }

Exec if $raw_event =~/^#/ drop();\
   else\
   {\
    w3c->parse_csv();\
    $EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
    $SourceName = "xxxx-PR-IIS";\
$raw_event = to_json();\
   }

Exec        $Hostname = hostname_fqdn();
    Exec    $FullMessage = $raw_event;
    #Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);

#######################################################################

/IIS NXLOG

#######################################################################

Here is the remianing config

Exec        $Hostname = hostname_fqdn();
    Exec    $FullMessage = $raw_event;
    #Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);

#######################################################################

/IIS NXLOG

#######################################################################

When post Config files or commands please look here

Also my apologies , you just want the hostname NOT the FQDN? is this correct? If so this maybe something you want.

string hostname()
Return the hostname (short form).

string hostname_fqdn()
Return the FQDN hostname. This function will return the short form if the FQDN hostname cannot be determined.

Look at my nxlog config file OUTPUT section, yours is incorrect.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.