I have successfully sent IIS logs to Graylog using NXlog. How can I create a pattern for the c-ip value in the message received by Graylog?
Here is my NXlog configuration:
<Extension w3c>
Module xm_csv
Fields $datetime, $c-ip
FieldTypes string, string
Delimiter ' '
QuoteChar '"'
EscapeControl TRUE
UndefValue -
</Extension>
<Output out>
Module om_udp
Host 192.168.1.1000
Port 13254
Exec to_syslog_bsd();
</Output>
If you use GELF to send the logs from nxlog to graylog then you wont need to parse the message, the fields will be automatically created. Send logs to Graylog :: NXLog Documentation
Hey @neil0314
I agree with @Joel_Duffield
Something like this
<Extension _gelf>
Module xm_gelf
</Extension>
<Output out>
Module om_udp
Host 192.168.1.100
Port 13254
OutputType GELF_UDP ( or just GELF should work )
Exec to_syslog_bsd();
</Output>
I used the following method and did not receive a message in message.
However, by adding an output to the log file and using Wireshark, I can confirm that the NXLOG message should have been sent out.
<Extension w3c>
Module xm_csv
Fields $datetime, $c-ip
FieldTypes string, string
Delimiter ' '
QuoteChar '"'
EscapeControl TRUE
UndefValue -
</Extension>
<Input in>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex*.log"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
$raw_event = replace($raw_event, ' ', '@', 1); \
w3c->parse_csv(); \
$raw_event = replace($raw_event, ' ', "\t"); \
$raw_event = replace($raw_event, '@', ' ', 1); \
$EventTime = parsedate(replace($datetime, '@', ' ', 1) + '+08:00'); \
}
</Input>
<Output out2>
Module om_file
file 'C:\Program Files\nxlog\data\nxlog_output.log'
</Output>
<Output out>
Module om_udp
Host 192.168.1.100
Port 13254
#Exec to_syslog_bsd();
OutputType GELF _UDP
</Output>
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
