Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2249
  • Last Modified:

nxlog config file

How do I modify the nxlog config file to send all IIS logs in JSON format?

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
# Include your Loggly Customer Token here
define CUSTOMER_TOKEN 111111111-111111-11111-1111-1111111111

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
     Module xm_syslog
<Extension json>
     Module xm_json
<Extension w3c>
    Module      xm_csv
	Fields	$date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs(User-Agent), $sc-status, $sc-substatus, $sc-win32-status, $time-taken
    FieldTypes  string, string, string, string, string, string, string, string, string, string, string, string, string, string
    Delimiter	' '
#Feel free to add a selection for Setup and Application events below.
<Input in>
     Module im_msvistalog
     Query  <QueryList>\
                <Query Id="0">\
					 <Select Path="Application">*</Select>\
                     <Select Path="System">*</Select>\
                     <Select Path="Security">*</Select>\
					 <Suppress Path="Security">*[System[(EventID='4656') or (EventID='4658') or (EventID='5156') or (EventID='5158')]]</Suppress>\
     Exec $Message = " " + $EventID + ": " + $Message; \
 <Input iis>
    Module	im_file
    #Needs to be scoped to sane amount of files. Pointing to large amount of files is very inefficient because nxlog polls all logs every second
    File	'D:\\LogFiles\\W3SVC1\\u_ex*'
    ReadFromLast TRUE
    #Drop info legend lines
	Exec	if $raw_event =~ /^#/ drop();
#    Exec	if $raw_event =~ /^#/ drop();                    \
#			else                                             \
#			{                                                \
#				w3c->parse_csv();                            \
#				$EventTime = parsedate($date + " " + $time); \
#				to_json();									 \
#			}												 
<Output out>
     Module  om_tcp
	 Host logs-01.loggly.com
     Port 514
	 # Be sure to replace <CUST_TOKEN> with your unique customer token
     # Any tags specified will be accessible within Loggly. Space separated list.
	 Exec to_syslog_ietf();\
$raw_event = replace($raw_event, 'NXLOG@14506', '%CUSTOMER_TOKEN%@41058 tag="webservers"] [', 1);
     #Use the following line for debugging (uncomment the fileop extension above as well)
     #Exec file_write("C:\\Program Files (x86)\\nxlog\data\\nxlog_output.log",  $raw_event);
<Route 1>
     Path in, iis => out

Open in new window

1 Solution
btanExec ConsultantCommented:
can you check out the below instead which shared briefly on using nxlog to read the IIS log and convert each line to JSON. The json ext is used
<Extension json>
    Module      xm_json


Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now