Solved . Error in config.
## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf </Extension> <Extension fileop> Module xm_fileop </Extension> <Extension json> Module xm_json </Extension> # Create the parse rule for IIS logs. You can copy these from the header of the IIS log file. <Extension w3c> Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input iis> Module im_file File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $EventTime = parsedate($date + " " + $time); \ $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \ $SourceName = "IIS"; \ } </Input> <Input eventlog> Module im_msvistalog ReadFromLast True Query <QueryList>\ <Query Id="0" Path="Security">\ <Select Path="Security">*</Select>\ <Select Path="System">*[System/Level=4]</Select>\ <Select Path="Application">*[Application/Level=2]</Select>\ <Select Path="Setup">*[System/Level=3]</Select>\ <Select Path='Windows PowerShell'>*</Select>\ </Query>\ </QueryList> </Input> <Output graylog> Module om_udp Host 10.1.0.215 Port 12201 OutputType GELF #Use the following line for debugging (uncomment the fileop extension above as well) Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event); </Output> <Output Winlogs-gelf> Module om_udp Host 10.1.0.215 Port 5414 OutputType GELF </Output> <Route iis-to-graylog> Path iis => graylog </Route> <Route eventlog-to-graylog> Path eventlog => Winlogs-gelf </Route> On Tuesday, August 9, 2016 at 10:49:57 AM UTC+2, Guillaume Migaszewski wrote: > > Dear Graylog community, > > I am new to Graylog/Nxlog . I have managed in the last days to do what I > want . Collect logs from IIS and eventlog. It works but not at the same > time . It s either IIS logs or Event logs but not both... quite > frustrationg. > > Here is a nxlog.conf I have built from different sources . Maybe my route > directive is incorrect ? . Please help . > > ----cut top section removed---- > <Extension gelf> > Module xm_gelf > </Extension> > > <Extension fileop> > Module xm_fileop > </Extension> > > <Extension json> > Module xm_json > </Extension> > > # Create the parse rule for IIS logs. You can copy these from the header > of the IIS log file. > <Extension w3c> > Module xm_csv > Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, > $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, > $sc-substatus, $sc-win32-status, $time-taken > FieldTypes string, string, string, string, string, string, integer, > string, string, string, string, integer, integer, integer, integer > Delimiter ' ' > QuoteChar '"' > EscapeControl FALSE > UndefValue - > </Extension> > > <Input iis> > > Module im_file > File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*" > SavePos TRUE > Exec if $raw_event =~ /^#/ drop(); \ > else \ > { \ > w3c->parse_csv(); \ > $EventTime = parsedate($date + " " + $time); \ > $EventTime = strftime($EventTime, > "%Y-%m-%dT%H:%M:%SZ"); \ > $SourceName = "IIS"; > \ > } > </Input> > > <Input eventlog> > Module im_msvistalog > > Query <QueryList>\ > <Query Id="0" Path="Security">\ > <Select Path="Security">*[System[(Level=1 or Level=2 or > Level=3)]]</Select>\ > <Select Path="System">*[System[(Level=1 or Level=2 or > Level=3)]]</Select>\ > <Select Path="Application">*[System[(Level=1 or Level=2 or > Level=3)]]</Select>\ > </Query>\ > </QueryList> > > </Input> > > <Output graylog> > Module om_udp > Host 10.1.0.215 > Port 12201 > OutputType GELF > > #Use the following line for debugging (uncomment the fileop extension > above as well) > Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", > $raw_event); > </Output> > > > <Route iis-to-graylog> > Path iis => graylog > </Route> > > <Route eventlog-to-graylog> > Path eventlog => graylog > </Route> > > # EOF-------------------------------------- > > > > Thanks for reading. > > Guillaume. > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/8f95c3cb-e5cf-4d09-aea0-d659bcd60f52%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
