Need help getting IIS logs into Graylog 2.3

Graylog Central (peer support)
, , , ,
21

Good call Jochen. Here you go Sparky. Keep in mind anything within this config is “tunable” depending on what fields you choose to use. This is a mostly default format with “x-forwarded-for” added in our case as we need that passed for our own uses. You can easily remove that if not needed in your setup. I have also set “SavePos” to false so if either an input was turned off, graylog went down, or network availability became a problem we wouldn’t get a sudden influx of logs when things were back online. Turn “SavPos” on at your own risk as a buildup of logs on the IIS servers suddenly being shipped to graylog can sometimes quickly overwhelm graylog/elasticsearch depending on your setup and what it can handle. In our case 10k per second sustained isn’t a problem but when all of the sudden graylog is being shipped 100k+ per second it can turn into an issue very quickly. The following config should get you off the ground with NXLOG. Keep in mind you’ll have to set the “Input” file path to where your logs are stored and point the “Output” to correspond to your graylog input IP and Port. Those should be easy enough. Remember to make your Graylog input GELF if you want this config to work. Other output types are supported if you want to use them but this IMO seems to be the ideal setup. Let me know if you have any questions or need further help with the setup. Here is the config.

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_gelf
</Extension>

<Extension w3c>
    Module xm_csv
    Fields $date $time $s-sitename $cs-method $cs-uri-stem $cs-uri-query $cs-username $c-ip $cs-user-agent $cs-referer $cs-host $sc-status $sc-substatus $sc-win32-status $sc-bytes $cs-bytes $time-taken $x-forwarded-for
    FieldTypes string, string, string, string, string, string, string, string, string, string, string, integer, integer, integer, integer, integer, integer, string
    Delimiter ' '
    QuoteChar   '"'
    EscapeControl FALSE
    UndefValue  -
</Extension>

<Extension json>
    Module      xm_json
</Extension>

<Input IISIN>
    Module im_file
    File 'W:\logfiles\\u_ex*.log'
    SavePos False
    Recursive True
    Exec if $raw_event =~ /^#/ drop();    \
        else    \
        {    \
            w3c->parse_csv();    \
            $EventTime = parsedate($date + " " + $time);    \
            $SourceName = "IIS";    \
            $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
        $Message = to_json();    \
        }
</Input>


<Output IISOUT>
    Module      om_tcp
    Host        <GRAYLOG INPUT IP HERE>
    Port        <GRAYLOG INPUT PORT HERE>
    OutputType    GELF_TCP
</Output>

<Route 1>
    Path        IISIN => IISOUT
</Route>
22

I’ve been on another project for a couple of days but will be checking about potential network problems today.

Strange thing is Winlogbeat works fin but not Filebeat between the same two machines.

I will also check if NXLog could be an alternative.

Thanks for all you ideas guys

23

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.