I have configured the graylog2.0.3 in centos 7 and its working fine. I want to enable the windows logs. For this i have followed the below steps.
Step 1) Installed the nxlog(nxlog-ce-2.9.1716) in windows and followed the same as document after installing the nxlog that is nxlog -u.
Step 2) Installed the graylog side car in windows and installed successfully and its start successfully.
Step 3) Changed the server-URL in conf file C:\Program Files\Graylog\collector-sidecar
Step 4) I have created the input in server using GELF UDP on port 12201 and itsrunning.
Module xm_syslog
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
Module om_udp
Host X.X.X.X
Port 12201
OutputType GELF
Exec to_syslog_snare();
Thanks for the reply i tried above changes and its working fine but am able to get the logs. I want to configure IIS logs can you give information about how to configure and how we can delete the logs for last 30 days.
Hi Jose,
Thanks for the updating i have followed the below configuration but i am not getting any IIS logs from my sever. Can you suggest where i did mistake in this config file. Please tell us how to delete the messages/logs IP basesd/host based and how to delete the past 30 days logs.
Configle file.
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension gelf>
Module xm_gelf
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
<Extension json>
Module xm_json
</Extension>
#Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
<Extension w3c>
Module xm_csv
Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input iis>
Module im_file
File "L:\\logs\\LogFiles\\W3SVC2\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
$Message = to_json(); \
}
</Input>
<Input in>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
</Input>
<Output out>
Module om_udp
Host X.X.X.X
Port 12201
OutputType GELF_UDP
</Output>
<Route 1>
Path in => out
</Route>
<Route iis-to-graylog>
Path iis => graylog
</Route>Preformatted text
