So what did your final nxlog.conf file have? Can you post the complete file?
On Tuesday, August 9, 2016 at 6:23:02 AM UTC-4, Guillaume Migaszewski wrote: > > Solved . Error in config. > > > ## This is a sample configuration file. See the nxlog reference manual > about the > ## configuration options. It should be installed locally and is also > available > ## online at http://nxlog.org/docs/ > > ## Please set the ROOT to the folder your nxlog was installed into, > ## otherwise it will not start. > > #define ROOT C:\Program Files\nxlog > define ROOT C:\Program Files (x86)\nxlog > > Moduledir %ROOT%\modules > CacheDir %ROOT%\data > Pidfile %ROOT%\data\nxlog.pid > SpoolDir %ROOT%\data > LogFile %ROOT%\data\nxlog.log > > <Extension gelf> > Module xm_gelf > </Extension> > > <Extension fileop> > Module xm_fileop > </Extension> > > <Extension json> > Module xm_json > </Extension> > > # Create the parse rule for IIS logs. You can copy these from the header > of the IIS log file. > <Extension w3c> > Module xm_csv > Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, > $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, > $sc-substatus, $sc-win32-status, $time-taken > FieldTypes string, string, string, string, string, string, integer, > string, string, string, string, integer, integer, integer, integer > Delimiter ' ' > QuoteChar '"' > EscapeControl FALSE > UndefValue - > </Extension> > > <Input iis> > > Module im_file > File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*" > SavePos TRUE > Exec if $raw_event =~ /^#/ drop(); \ > else \ > { \ > w3c->parse_csv(); \ > $EventTime = parsedate($date + " " + $time); \ > $EventTime = strftime($EventTime, > "%Y-%m-%dT%H:%M:%SZ"); \ > $SourceName = "IIS"; > \ > } > </Input> > > <Input eventlog> > Module im_msvistalog > ReadFromLast True > > Query <QueryList>\ > <Query Id="0" Path="Security">\ > <Select Path="Security">*</Select>\ > <Select Path="System">*[System/Level=4]</Select>\ > <Select Path="Application">*[Application/Level=2]</Select>\ > <Select Path="Setup">*[System/Level=3]</Select>\ > <Select Path='Windows PowerShell'>*</Select>\ > </Query>\ > </QueryList> > > </Input> > > <Output graylog> > Module om_udp > Host 10.1.0.215 > Port 12201 > OutputType GELF > > #Use the following line for debugging (uncomment the fileop extension > above as well) > Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", > $raw_event); > </Output> > > <Output Winlogs-gelf> > Module om_udp > Host 10.1.0.215 > Port 5414 > OutputType GELF > </Output> > > > > > <Route iis-to-graylog> > Path iis => graylog > </Route> > > <Route eventlog-to-graylog> > Path eventlog => Winlogs-gelf > </Route> > > > > On Tuesday, August 9, 2016 at 10:49:57 AM UTC+2, Guillaume Migaszewski > wrote: >> >> Dear Graylog community, >> >> I am new to Graylog/Nxlog . I have managed in the last days to do what I >> want . Collect logs from IIS and eventlog. It works but not at the same >> time . It s either IIS logs or Event logs but not both... quite >> frustrationg. >> >> Here is a nxlog.conf I have built from different sources . Maybe my route >> directive is incorrect ? . Please help . >> >> ----cut top section removed---- >> <Extension gelf> >> Module xm_gelf >> </Extension> >> >> <Extension fileop> >> Module xm_fileop >> </Extension> >> >> <Extension json> >> Module xm_json >> </Extension> >> >> # Create the parse rule for IIS logs. You can copy these from the header >> of the IIS log file. >> <Extension w3c> >> Module xm_csv >> Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, >> $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, >> $sc-substatus, $sc-win32-status, $time-taken >> FieldTypes string, string, string, string, string, string, integer, >> string, string, string, string, integer, integer, integer, integer >> Delimiter ' ' >> QuoteChar '"' >> EscapeControl FALSE >> UndefValue - >> </Extension> >> >> <Input iis> >> >> Module im_file >> File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*" >> SavePos TRUE >> Exec if $raw_event =~ /^#/ drop(); \ >> else \ >> { \ >> w3c->parse_csv(); \ >> $EventTime = parsedate($date + " " + $time); \ >> $EventTime = strftime($EventTime, >> "%Y-%m-%dT%H:%M:%SZ"); \ >> $SourceName = "IIS"; >> \ >> } >> </Input> >> >> <Input eventlog> >> Module im_msvistalog >> >> Query <QueryList>\ >> <Query Id="0" Path="Security">\ >> <Select Path="Security">*[System[(Level=1 or Level=2 or >> Level=3)]]</Select>\ >> <Select Path="System">*[System[(Level=1 or Level=2 or >> Level=3)]]</Select>\ >> <Select Path="Application">*[System[(Level=1 or Level=2 or >> Level=3)]]</Select>\ >> </Query>\ >> </QueryList> >> >> </Input> >> >> <Output graylog> >> Module om_udp >> Host 10.1.0.215 >> Port 12201 >> OutputType GELF >> >> #Use the following line for debugging (uncomment the fileop extension >> above as well) >> Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", >> $raw_event); >> </Output> >> >> >> <Route iis-to-graylog> >> Path iis => graylog >> </Route> >> >> <Route eventlog-to-graylog> >> Path eventlog => graylog >> </Route> >> >> # EOF-------------------------------------- >> >> >> >> Thanks for reading. >> >> Guillaume. >> >> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/d87b9a02-905d-4149-a929-6961fe3b471d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
