velikrgl
August 16, 2021, 11:51am
1
I want to send IIS logs from Windows10 to Ubuntu 20.04 graylog server.
I have install graylog on ubuntu and it works fine. I have tried to get Windows10 event logs and successfully got it .But I cannot get IIS logs from Windows10 to Graylog server (Ubuntu 20.04).
Here is my configuration code
#######################################################################
#### EXTENTIONS #####
#######################################################################
<Extension _gelf>
Module xm_gelf
</Extension>
<Extension _json>
Module xm_json
</Extension>
#######################################################################
#### IIS NXLOG ######
#######################################################################
<Extension w3c>
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken
FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
SavePos TRUE
Exec if $raw_event =~/^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
$SourceName = "IIS";\
$raw_event = to_json();\
}
</Input>
<Output graylog>
Module om_udp
Host YOUR_GRAYLOG_IP
Port 12201
OutputType GELF
Exec $Hostname = hostname_fqdn();
Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>
<Route iis-to-graylog>
Path iis => graylog
</Route>
#######################################################################
#### /IIS NXLOG #####
#######################################################################
Graylog - > v3.1.4+1149fe1
MongoDB–> v4.4.8
Elasticsearch → 6.8.18
lcosta
August 16, 2021, 2:42pm
2
Hi there,
Output Type must be type GELF and the input port 12201
On the “YOUR_GRAYLOG_IP” you must insert the ONLY the ip without any other info.
Since you using IIS, after this setting must restart NXLOG (if not using graylog sidecar)
Best Regards
velikrgl
August 16, 2021, 5:31pm
3
Hi
lcosta
August 16, 2021, 9:44pm
4
If so, then use the “telnet” command to check if the Port is listening in your IIS server.telnet <YourGraylogIP> 12201
gsmith
August 16, 2021, 10:33pm
5
@velikrgl
Adding on to @lcosta suggestion, maybe try to configure your INPUT like this. Use global Instead.
Below is my configuration for NXlog-ce on my Windows server 2019. Using GELF TCP/TLS input on Graylog
nxlog_config
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Output out>
Module om_ssl
Host graylog.domain.com
Port 51412
OutputType GELF_TCP
CertFile %CERTDIR%/graylog3-certificate.pem
CertKeyFile %CERTDIR%/graylog3-key.pem
CAFile %CERTDIR%/cert3.pem
KeyPass secret
AllowUntrusted true
Exec $Hostname = hostname_fqdn();
Exec $FullMessage = $raw_event;
#Exec to_syslog_snare();
</Output>
<Route >
Path in => out
</Route>
Also for your GELF UDP output configuration, please take a look here.
Graylog Extended Log Format (GELF_UDP)
velikrgl
August 17, 2021, 6:30am
6
I have tried both of them .I have already got connnected and network is up as you can see in the pic.I turned off windows firewall in case it may be block the traffic but still do not get logs in search tab. Is there anything wrong with my elasticsearch ?
velikrgl
August 17, 2021, 6:47am
8
This is graylog server-log. Sorry for sending photos seperately but it does not let me to share at once because I am new user
lcosta
August 17, 2021, 9:29am
9
If the Input is running and you are not getting messages 90% is from the settings on NXLOG
velikrgl
August 17, 2021, 10:49am
10
Output logs seem good.It just say connected succesfully .I have shared photos that you can see there is no error . Can anyone share another config file so that I can implement it to my config ?
gsmith
August 17, 2021, 10:56pm
11
Hello,
velikrgl:
<Output graylog>
Module om_udp
Host YOUR_GRAYLOG_IP
Port 12201
OutputType GELF
Exec $Hostname = hostname_fqdn();
Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>
Try this configuration OutputType GELF_UDP
Also, why are you using a GELF-TCP Input and your Nxlog is configured for UDP?input and see if that works.
EDIT: I think your on the right path, you need to match up your Log shipper configuration with you Graylog Input. If I’m seeing this correct on your nxlog config file your input section is using json format? If so take a look here
You may need to change your Graylog Input to match that format. Maybe something like Raw/PlainText then adjust you nxlog Output section to match that input. I also did a quick search speaking of Nxlog configuration there might be something in these post will help you out.
https://nxlog.co/question/3855/sending-iis-w3c-syslog https://nxlog.co/community-forum/w3c-iis
velikrgl
August 18, 2021, 8:09am
13
Thank you guys I finally solved my problem.The problem was json format.I convert logs to json format but I did not exec it .So adding * Exec to_json(); * to output I successfully got logs. It does not matter udp or tcp but I used tcp as graylog input
I hope this topic helps you guys
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
<Extension json>
Module xm_json
</Extension>
#Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
<Extension w3c>
Module xm_csv
Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
$Message = to_json(); \
}
</Input>
<Output graylog>
Module om_tcp
Host graylog_ip
Port graylog_port
Exec to_json();
OutputType GELF_TCP
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>
<Route iis-to-graylog>
Path iis => graylog
</Route>
3 Likes
gsmith
August 18, 2021, 9:32pm
14
@velikrgl
lcosta
August 27, 2021, 8:21am
15
Nice. Good to know. Good Work!
system
September 10, 2021, 8:21am
16
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
