IIS logs into graylog

mr_m_cox · March 17, 2017, 4:16pm

I have decided to go bac kto basic and have uninstalled both nxlog and sidecar.

i then reinstalled nxlog and can get half the config working. The windows events are fine, its the IIS which isnt.

Here is my nxlog.conf

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

<Extension syslog>
    Module xm_syslog
</Extension>

<Extension gelf>
    Module xm_gelf
</Extension>

# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.

<Extension w3c>
    Module xm_csv
    Fields $date, $time, $s-sitename, $s-computername, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs-version, $cs(User-Agent), $cs(Cookie), $cs(Referer), $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes $time-taken
    FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, integer, integer, integer, string, string, string
    Delimiter ' '
    QuoteChar   '"'
    EscapeControl FALSE
    UndefValue  -
</Extension>

# Enable json extension
<Extension json>
    Module      xm_json
</Extension>
 
# Convert the IIS logs to JSON and use the original event time
# Uncomment IIS_IN section if logging for IIS logging

<Input eventlog>
     # Use 'im_mseventlog' for Windows XP, 2000 and 2003
    Module      im_msvistalog
    # Uncomment the following to collect specific event logs only
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                    </Query>\
                </QueryList> 
</Input>

<Input IIS_Site1>
    Module im_file
    File "L:\\logs\\LogFiles\\W3SVC2\\u_ex*.log"
    SavePos TRUE
    Exec if $raw_event =~ /^#/ drop();    \
        else    \
        {    \
            w3c->parse_csv();    \
            $EventTime = parsedate($date + " " + $time);    \
            $SourceName = "IIS";    \
            $Message = to_json();    \
        }
</Input>


<Output Event_Out>
    Module      om_udp
    Host        10.10.0.79
    Port        12201      
    OutputType  GELF
</Output>

<Output IIS_Out>
    Module      om_udp
    Host        10.10.0.79 
    Port        5555
	
</Output>


<Route IIS>
     Path IIS_Site1 => IIS_Out
</Route>

<Route Events>
    Path eventlog => Event_Out
</Route>

Topic		Replies	Views
Graylog shows eventlog from a machine but not IIS logs Graylog Central (peer support) sidecar , nxlog , nodatanx	4	1147	December 24, 2018
Graylog Sidecar and static windows server .log files Graylog Central (peer support) sidecar , nxlog , nodatanx	2	1426	June 29, 2017
61 / 5000 Resultados de traducción I need help sending IIS events to graylog with NXLog Graylog Central (peer support) sidecar , nxlog , nodatanx , send-csv-logsnx	2	716	August 17, 2021
How to get log from windows to graylog2.0.3 Graylog Central (peer support) sidecar , nxlog , nodatanx	8	8077	June 23, 2017
Nxlog file input Graylog Central (peer support) sidecar , nxlog , nodatanx	2	2621	April 12, 2018

IIS logs into graylog

Related topics