[graylog2] Graylog Nxlog.conf Not able to merge two Nxlog configs...

Tue, 09 Aug 2016 01:50:49 -0700 

Dear Graylog community, 

I am new to Graylog/Nxlog . I have managed in the last days to do what I 
want . Collect logs from IIS and eventlog. It works but not at the same 
time .  It s either IIS logs or Event logs but not both... quite 
frustrationg. 

Here is a nxlog.conf I have built from different sources . Maybe my route 
directive is incorrect ? . Please help .

----cut top section removed----
<Extension gelf>
Module xm_gelf
</Extension>

<Extension fileop>
Module xm_fileop
</Extension>

 <Extension json>
    Module      xm_json
</Extension>

# Create the parse rule for IIS logs. You can copy these from the header of 
the IIS log file.
<Extension w3c>
    Module xm_csv
    Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, 
$s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, 
$sc-substatus, $sc-win32-status, $time-taken
    FieldTypes string, string, string, string, string, string, integer, 
string, string, string, string, integer, integer, integer, integer
    Delimiter ' '
    QuoteChar '"'
    EscapeControl FALSE
    UndefValue -
</Extension>

<Input iis>

    Module      im_file
    File        "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
    SavePos     TRUE
      Exec            if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    $EventTime = strftime($EventTime, 
"%Y-%m-%dT%H:%M:%SZ"); \
                    $SourceName = "IIS";                                   
      \
                }
</Input>

<Input eventlog>
    Module      im_msvistalog
  
Query <QueryList>\
  <Query Id="0" Path="Security">\
    <Select Path="Security">*[System[(Level=1  or Level=2 or 
Level=3)]]</Select>\
    <Select Path="System">*[System[(Level=1  or Level=2 or 
Level=3)]]</Select>\
    <Select Path="Application">*[System[(Level=1  or Level=2 or 
Level=3)]]</Select>\
  </Query>\
</QueryList>

</Input>

<Output graylog>
    Module      om_udp
    Host        10.1.0.215
    Port        12201
    OutputType GELF

    #Use the following line for debugging (uncomment the fileop extension 
above as well)
Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", 
$raw_event);
</Output>


<Route iis-to-graylog>
Path iis => graylog
</Route>

<Route eventlog-to-graylog>
Path eventlog => graylog
</Route>

# EOF--------------------------------------



Thanks for reading.

Guillaume.


-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/41715847-5b78-44aa-ab45-0c851cb266f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to