IIS logs into graylog by usign nxlog

Description of your problem

I want to send IIS logs from Windows10 to Ubuntu 20.04 graylog server.

I have install graylog on ubuntu and it works fine. I have tried to get Windows10 event logs and successfully got it .But I cannot get IIS logs from Windows10 to Graylog server (Ubuntu 20.04).

Here is my configuration code
I NEED A CORRECT CONFIGURATION FILE


#######################################################################
####                         EXTENTIONS                           #####
#######################################################################

<Extension _gelf>
    Module      xm_gelf
</Extension>

<Extension _json>
    Module      xm_json
</Extension>

#######################################################################
####                         IIS NXLOG                           ######
#######################################################################

<Extension w3c>
    Module	xm_csv
    Fields	$date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken
    FieldTypes	string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
    Delimiter 		' '
    QuoteChar 		'"'
    EscapeControl 	FALSE
    UndefValue 		-
</Extension>

<Input iis>
	Module   im_file
    File     "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
    SavePos  TRUE

    Exec if $raw_event =~/^#/ drop();\
       else\
       {\
        w3c->parse_csv();\
        $EventTime = parsedate($date + " " + $time);\
	$EventTime = parsedate($date + " " + $time + "Z");\
        $SourceName = "IIS";\
	$raw_event = to_json();\
       }
</Input>

<Output graylog>
	Module om_udp
	Host YOUR_GRAYLOG_IP
	Port 12201
	OutputType GELF

	Exec        $Hostname = hostname_fqdn();
        Exec        $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
        #Use the following line for debugging (uncomment the fileop extension above as well)
	#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>

<Route iis-to-graylog>
	Path		iis => graylog
</Route>

#######################################################################
####                         /IIS NXLOG                           #####
#######################################################################

Package versions

  • Graylog - > v3.1.4+1149fe1
  • MongoDB–> v4.4.8
  • Elasticsearch → 6.8.18

Hi there,
So, you will need only to setup the INPUT in your graylog node:

Module om_udp
Host YOUR_GRAYLOG_IP
Port 12201
OutputType GELF

Output Type must be type GELF and the input port 12201
Since you using NXLOG you can also use “UDP”

On the “YOUR_GRAYLOG_IP” you must insert the ONLY the ip without any other info.
Example 192.168.1.102

Since you using IIS, after this setting must restart NXLOG (if not using graylog sidecar)

Best Regards
Luís Costa

Hi
As you can see above pic in topic ,I already create an input .But problem was I would not see any logs in search tab. Here is my config below.

If so, then use the “telnet” command to check if the Port is listening in your IIS server.
telnet <YourGraylogIP> 12201
If you still have problems, create a new input (Syslog UDP) with another PORT and try again

@velikrgl

Adding on to @lcosta suggestion, maybe try to configure your INPUT like this. Use global Instead.

Below is my configuration for NXlog-ce on my Windows server 2019. Using GELF TCP/TLS input on Graylog

nxlog_config
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module      xm_gelf
 </Extension>
<Output out>
    Module      om_ssl 
    Host        graylog.domain.com
    Port        51412
    OutputType  GELF_TCP 
    CertFile    %CERTDIR%/graylog3-certificate.pem
    CertKeyFile %CERTDIR%/graylog3-key.pem
    CAFile      %CERTDIR%/cert3.pem
    KeyPass     secret 
    AllowUntrusted  true   
    Exec $Hostname = hostname_fqdn();
    Exec $FullMessage = $raw_event;
    #Exec        to_syslog_snare();
</Output>

<Route >
    Path        in => out
</Route>

Also for your GELF UDP output configuration, please take a look here.

Graylog Extended Log Format (GELF_UDP)

I have tried both of them .I have already got connnected and network is up as you can see in the pic.I turned off windows firewall in case it may be block the traffic but still do not get logs in search tab. Is there anything wrong with my elasticsearch ?

I got connected already


This is graylog server-log. Sorry for sending photos seperately but it does not let me to share at once because I am new user

If the Input is running and you are not getting messages 90% is from the settings on NXLOG
Can you check the output log?
Maybe you should check activate this and very if theres any information

Output logs seem good.It just say connected succesfully .I have shared photos that you can see there is no error . Can anyone share another config file so that I can implement it to my config ?

Hello,

Try this configuration OutputType GELF_UDP

Also, why are you using a GELF-TCP Input and your Nxlog is configured for UDP?
Might want to try to use a GELF UDP input and see if that works.

EDIT: I think your on the right path, you need to match up your Log shipper configuration with you Graylog Input. If I’m seeing this correct on your nxlog config file your input section is using json format? If so take a look here

You may need to change your Graylog Input to match that format. Maybe something like Raw/PlainText then adjust you nxlog Output section to match that input. I also did a quick search speaking of Nxlog configuration there might be something in these post will help you out.

And here

Thank you guys I finally solved my problem.The problem was json format.I convert logs to json format but I did not exec it .So adding * Exec to_json(); * to output I successfully got logs. It does not matter udp or tcp but I used tcp as graylog input

I hope this topic helps you guys

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
	Module 		xm_gelf
</Extension>

<Extension fileop>
	Module 		xm_fileop
</Extension>

 <Extension json>
    Module      xm_json
</Extension>

#Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
<Extension w3c>
    Module 			xm_csv
    Fields 			$date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
    FieldTypes 		string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
    Delimiter 		' '
    QuoteChar 		'"'
    EscapeControl 	FALSE
    UndefValue 		-
</Extension>

<Input iis>
    Module    	im_file
    File    	"C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
    SavePos  	TRUE

	Exec		if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";    					 \
                    $Message = to_json();    					 \
                }
</Input>


<Output graylog>
    Module      om_tcp
    Host        graylog_ip
    Port        graylog_port
    Exec        to_json();
    OutputType	GELF_TCP

    #Use the following line for debugging (uncomment the fileop extension above as well)
	#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>


<Route iis-to-graylog>
	Path		iis => graylog
</Route>
3 Likes

@velikrgl
Nice, and thank you for sharing :slight_smile:

Nice. Good to know. Good Work!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.