IIS site name in source field instead of hostname

Description of your problem

Description of steps you’ve taken to attempt to solve the issue

<Updated the Nxlog config which is configured as below in working servers
Exec $Hostname = hostname_fqdn();
Exec $raw_event =$Hostname + ’ IIS-NXLOG ’ + $raw_event;

To below config and restarted the IIS server as well
Exec $Hostname = hostname_fqdn();
Exec $raw_event = $raw_event;
→

Environmental information

Operating system information

Centos 7

Package versions

• Graylog-3.3
• MongoDB-4.0
• Elasticsearch-Not able to find

NOTE: For all container-based deployments, please include your full, redacted YAML configuration file

NOTE: When posting log output or code snippets (e.g., JSON, YAML, etc.), please surround your code with three backticks like so:

```
Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data


    Module      xm_syslog



    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32



    Module      xm_exec



    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    

    # Rotate our log file every week on Sunday at midnight
    
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    


#######################################################################
####                         EXTENTIONS                           #####
#######################################################################


    Module      xm_gelf



    Module      xm_json


#######################################################################
####                         IIS NXLOG                           ######
#######################################################################


    Module	xm_csv
    Fields	$date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken, $X-Forwarded-For
    FieldTypes	string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
    Delimiter 		' '
    QuoteChar 		'"'
    EscapeControl 	FALSE
    UndefValue 		-



	Module   im_file
    File     "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
    SavePos  TRUE

    Exec if $raw_event =~/^#/ drop();\
       else\
       {\
        w3c->parse_csv();\
        $EventTime = parsedate($date + " " + $time);\
	$EventTime = parsedate($date + " " + $time + "Z");\
        $SourceName = "PP-IIS";\
	$raw_event = to_json();\
       }



	Module   im_file
    File     "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*"
    SavePos  TRUE

    Exec if $raw_event =~/^#/ drop();\
       else\
       {\
        w3c->parse_csv();\
        $EventTime = parsedate($date + " " + $time);\
	$EventTime = parsedate($date + " " + $time + "Z");\
        $SourceName = "xxxx-PR-IIS";\
	$raw_event = to_json();\
       }



	Module om_udp
	Host xxxx.xxxx.xxxx.xxxx
	Port xxxx
	OutputType GELF

	Exec        $Hostname = hostname_fqdn();
        Exec    $raw_event = $raw_event;
        #Use the following line for debugging (uncomment the fileop extension above as well)
	#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);



	Path		pp-iis => graylog



	Path		xxxx-pr-iis => graylog


#######################################################################
####                         /IIS NXLOG                           #####
#######################################################################
```

Hello,

I assume this is the same post?

As I mentioned in the other post your output looks incorrect.

And your Output section needs opening and closing brackets .

<Output out>
    Something here
</Output>

Please look at my nxlog configuration from the other post or here below.

## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log


Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _fileop>
    Module xm_fileop
    # Check the log file size every hour and rotate if larger than 5 MB
    <Schedule>
        Every 1 hour
        <Exec>
            if (file_exists('%LOGFILE%') and file_size('%LOGFILE%') >= 5M)
                file_cycle('%LOGFILE%', 8);
        </Exec>
    </Schedule>
    # Rotate log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

<Extension gelf>
    Module      xm_gelf
 </Extension>

<Input in>
    Module      im_msvistalog    
</Input>

<Output out>
    Module         	 om_udp 
    Host         	 graylog.doamin.com
    Port        	 51412
    OutputType  	 GELF_UDP     
    Exec $Hostname = hostname_fqdn();
    Exec $FullMessage = $raw_event;
    #Exec        to_syslog_snare();
</Output>

<Route >
    Path        in => out
</Route>

Thanks

Below is the code in my earlier post somehow nxlog config got truncated .There are output tags already with open and close brackets nothing to worry about that.

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

#######################################################################
####                         EXTENTIONS                           #####
#######################################################################

<Extension _gelf>
    Module      xm_gelf
</Extension>

<Extension _json>
    Module      xm_json
</Extension>

#######################################################################
####                         IIS NXLOG                           ######
#######################################################################

<Extension w3c>
    Module	xm_csv
    Fields	$date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken, $X-Forwarded-For
    FieldTypes	string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
    Delimiter 		' '
    QuoteChar 		'"'
    EscapeControl 	FALSE
    UndefValue 		-
</Extension>

<Input pp-iis>
	Module   im_file
    File     "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
    SavePos  TRUE

    Exec if $raw_event =~/^#/ drop();\
       else\
       {\
        w3c->parse_csv();\
        $EventTime = parsedate($date + " " + $time);\
	$EventTime = parsedate($date + " " + $time + "Z");\
        $SourceName = "PP-IIS";\
	$raw_event = to_json();\
       }
</Input>

<Input xxxx-pr-iis>
	Module   im_file
    File     "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*"
    SavePos  TRUE

    Exec if $raw_event =~/^#/ drop();\
       else\
       {\
        w3c->parse_csv();\
        $EventTime = parsedate($date + " " + $time);\
	$EventTime = parsedate($date + " " + $time + "Z");\
        $SourceName = "xxxx-PR-IIS";\
	$raw_event = to_json();\
       }
</Input>

<Output graylog>
	Module om_udp
	Host xxxx.xxxx.xxxx.xxxx
	Port xxxx
	OutputType GELF

	Exec        $Hostname = hostname_fqdn();
        Exec    $raw_event = $raw_event;
        #Use the following line for debugging (uncomment the fileop extension above as well)
	#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>

<Route iis-to-graylog>
	Path		pp-iis => graylog
</Route>

<Route iis-to-graylog>
	Path		xxxx-pr-iis => graylog
</Route>

#######################################################################
####                         /IIS NXLOG                           #####
#######################################################################

Thanks for cleaning the post up.
As I mention before in the other post and this post, your Output configuration in nxlog is incorrect.

image1255×544 20.8 KB

• Depending on what you want to do with the source field here are two examples.

string hostname()
Return the hostname (short form).

string hostname_fqdn()
Return the FQDN hostname. This function will return the short form if the FQDN hostname cannot be determined.

• I haven’t seen this configuration before.

Do you see anything that would pertain to this issue in nxlog log file?
What type of input are you using ?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.