Ask A Question

Questions

IIS to JSON

Posted by Joshua Jacobs 5 months ago

Attempting to ship IIS logs to Logmatic using NXlog. I’ve gone through countless articles trying multiple methods. Seems the data is getting into Logmatic but its just the raw message. We are trying to add fields to it to make it readable (Prettify) as we have done with other integrations. Any tips or ticks would be appreciated at this point.

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

To change for your own system if necessary

define ROOT C:\Program Files (x86)\nxlog

define ROOT_STRING C:\Program Files (x86)\nxlog

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Extension to JSON

<Extension json>
Module xm_json
</Extension>
<Extension w3c_parser>
Module xm_csv
Fields $date, $time, $s-sitename, $s-computername, $s-ip, $cs-method, \
$cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, \
$sc-version, $cs(User-Agent), $cs(Referer), $cs-host, $sc-status, \
$sc-substatus, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken, $ClientSourceIP
FieldTypes integer, integer, string, string, integer, string, \
string, string, integer, string, integer, \
string, string, string, string, integer, \
integer, integer, integer, integer, integer, integer
Delimiter ' '
EscapeChar '"'
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>

#### INPUTS

Convert the IIS logs to JSON and use the original event time

<Input iis_w3c>
Module im_file
File 'C:\ALB-WEB-05\W3SVC1\u_ex*.log'
SavePos TRUE
<Exec>
if $raw_event =~ /^#/ drop();
else
{
w3c_parser->parse_csv();
$EventTime = parsedate($date + " " + $time);
$SourceName= "IIS";
$Message = to_json();
}
</Exec>
</Input>

###### OUTPUTS

TCP output module

<Output out>
Module om_tcp
Host api.logmatic.io
Port 10514
Exec $raw_event="HIDDEN "+$raw_event;
</Output>

###### ROUTES TO CHOOSE

<Route 1>
Path iis_w3c => out
</Route>

Loading comments...