IIS logs into graylog

Graylog Central (peer support)
, ,
25

can you try this.

<Input iis>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
$SourceName = "IIS"; \
}
</Input>
26

Good morning,

Thanks for the reply.

After I put in the changes you’re suggesting to the conf file I get the following which isnt different from my earlier run at it :

2017-06-19 06:18:07 WARNING stopping nxlog service
2017-06-19 06:18:07 WARNING nxlog-ce received a termination request signal, exiting...
2017-06-19 06:18:08 INFO connecting to x.x.x.x:12201
2017-06-19 06:18:08 INFO nxlog-ce-2.9.1716 started

However, I do not see any messages into the input I have configured on the GrayLog itself.

Input_Mon.png1113×430 33.1 KB

Is there anything other than NXLog and a service from my windows box that I have to configure? I am unsure.

Andy.

27

Thanks to grayloglearn

I have gotten the information I want to start populating to my instance of Graylog.

Lots of good information on this particular thread for me. I also found additional information here: https://www.youtube.com/watch?v=HSTVaKVHJ1w

Thanks again grayloglearn


Andy Davis.

1 Like
28

Hi,

what’s the difference (or advantage) compared to the way I have it configured

<Input iis>
    Module    	im_file
    File    	"C:\inetpub\logs\LogFiles\W3SVC74118705\u_ex*"
    SavePos  	TRUE

	Exec		if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $SourceName = "IIS";    					 \
		        $Message = to_json();  					     \
                }
</Input>

is there any advantage using $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); over $Message = to_json();

i don’t see any other difference


Also, I think it’s important to also define the fields that you’re logging in the IIS webserver logs prior to the input config

<Extension w3c>
    Module 			xm_csv
    Fields 			$date, $time, $s-ip, $cs-method, $s-port, $cs-username, $c-ip, $csUser-Agent, $time-taken
    FieldTypes 		string, string, string, string, integer, string, string, string, integer
    Delimiter 		' '
    QuoteChar 		'"'
    EscapeControl 	FALSE
    UndefValue 		-
</Extension>
29

I have done mistake at time filed so i configured then logs are showing. I have one one Question have u done any customized logs Ex: I have logs in D drive i want get the logs how it is possible have done before ever.

30

I’m sorry, I’m afraid I don’t understand your question. Could you try to word it differently!?

31

hi micsnare,

On remote server has D drive that is D:\Websites\lot-item\Logs\business.log . I want get the logs from which are stored in business.log . does it possible get those logs.

32

have you tried changing the file path in the nxlog.conf ? what happens if you change it to D:\Websites\lot-item\Logs\business.log or do you want to have both directories monitored?

33

tried by changing the as per below but no luck.

<Input customlogs>
   Module   im_file
   File     "D:\\Websites\\logs-\\Logs\BusinessLog.log"
   SavePos  TRUE
</Input>


<Route 1>
   Path customlogs => out
</Route>
34

what does your nxlog.log say?

35

Have you find any wrong with configuration file.

36

hard to tell without knowing the exact error message. please post the output from the nxlog.log

37

Pls find the nx log

2017-06-19 20:30:41 WARNING stopping nxlog service
2017-06-19 20:30:41 WARNING nxlog-ce received a termination request signal, exiting...
2017-06-19 20:30:42 ERROR file is already defined at C:\Program Files (x86)\nxlog\conf\nxlog.conf:49
2017-06-19 20:30:42 ERROR couldn't parse expression at line 63, character 52 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error, unexpected TOKEN_STRING, expecting (
2017-06-19 20:30:42 ERROR invalid expression in 'File', string type required at C:\Program Files (x86)\nxlog\conf\nxlog.conf:63
2017-06-19 20:30:42 ERROR module 'iis' has configuration errors, not adding to route 'iis' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:90
2017-06-19 20:30:42 ERROR module 'graylog' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:90
2017-06-19 20:30:42 ERROR route iis is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:90
2017-06-19 20:30:42 ERROR module 'dlogs' has configuration errors, not adding to route 'dlogs' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:93
2017-06-19 20:30:42 ERROR module 't' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:93
2017-06-19 20:30:42 ERROR module 'dlogs' has configuration errors, not adding to route 'dlogs' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:93
2017-06-19 20:30:42 ERROR route dlogs is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:93
2017-06-19 20:30:42 WARNING not starting unused module iis
2017-06-19 20:30:42 WARNING not starting unused module dlogs
2017-06-19 20:30:42 INFO nxlog-ce-2.9.1716 started
38
Module im_file File "D:\\MonitorLogs\\W3SVC1\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \ $SourceName = "IIS"; \ }

Its working with this config.