I'm having trouble getting my IIS logs into Graylog.
My Windows event logs show up just fine, but the IIS logs never show up.
I'm using NXlog per the Graylog docs. I've verified that the logs are
getting sent (I have them also writing to a file, and I've checked with
Wireshark to make sure the packets are being sent).
At one point I changed from using a GELF input to a raw input, and then the
messages showed up but of course were unreadable as they were still in the
compressed GELF format, like so:
x����n�0 E ��*����r �
�$��� #�m"�����$ȿ��h9q\����J� g43�zA;h9a5J��xh�V� �b � � �@Z��Ƕ �^��
�A�z:t����[Vv $��:�S��j�& �[b�>� �) �������M �a�����+��v b�Ji̦�����\@%E���f ��
b����W��`�X��`:) � �� hX+P��Si�V�ɡ�' 9 �ݲgB)vcdz.��.ٞ[w��8� ky�L�Kk�4 ��pC�
�c'L�����폑E�#X3( ٥�m۲
�H� ?r�|k�%��l kh����C�� ����3���'u
a~<l�l��z!Sm WM�g��"�̦�j�o�DV p�7*�%G ��Q��c"G� �B���̼�(��� �`*�z�GN (�N�k]
e
xZU�iu�A� |ړ� � Z�[ � ��A+���C�� ��&��� �}�&���' ����d�Б��̻_��m�0�� � ����
]��9<ޭ� � ����Ub� ,�U�n�Q ��8��F�� (J �%. U?��^�� wJ�a
I can send the messages in completely raw, but then all the data is stuck
in one field.
Why would Graylog accept my GELF-formatted Windows event logs, but not my
GELF-formatted IIS logs?
I'm running the latest Graylog VMware OVA, and the only changes I've made
were changing the password and timezone, enforcing HTTPS, and setting up
LDAP and my inputs.
Is there perhaps some way I can see if graylog is experiencing an error
when it decodes the incoming logs?
Here's my NXlog config file:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
<Extension json>
Module xm_json
</Extension>
# Create the parse rule for IIS logs. You can copy these from the header of
the IIS log file.
<Extension w3c>
Module xm_csv
Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query,
$s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status,
$sc-substatus, $sc-win32-status, $time-taken
FieldTypes string, string, string, string, string, string, integer,
string, string, string, string, integer, integer, integer, integer
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input iis>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC12\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
$Message = to_json(); \
}
</Input>
<Input eventlog>
Module im_msvistalog
</Input>
<Output graylog>
Module om_udp
Host graylog
Port 12201
OutputType GELF
#Use the following line for debugging (uncomment the fileop extension
above as well)
Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log",
$raw_event);
</Output>
#<Route eventlog>
# Path eventlog => graylog
#</Route>
<Route iis-to-graylog>
Path iis => graylog
</Route>
Any assistance will be greatly appreciated.
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
