forked from elasticsearchvn/elk-windows
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiis-nxlog.conf
94 lines (80 loc) · 2.46 KB
/
iis-nxlog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
# nxlog internal log rotation and retention
define NXLOGFILE %ROOT%\data\nxlog.log
# Custom variables
define IISLOGDIR c:\inetpub\logs\LogFiles
<Extension fileop>
Module xm_fileop
# Check the size of our log file every x time and rotate if it is larger than x MB
<Schedule>
Every 1 min
Exec if (file_size('%NXLOGFILE%') >= 20M) file_cycle('%NXLOGFILE%', 5);
</Schedule>
# Rotate our log file every week on sunday at midnight
<Schedule>
When @weekly
Exec file_cycle('%NXLOGFILE%', 5);
</Schedule>
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
### IIS Log
<Extension w3c>
Module xm_csv
Fields $date, $time, $site_name, $hostname, $dst_ip, $http_method, $path, $http_query, $dst_port, $username, $src_ip, $http_version, $http_useragent, $http_cookie, $http_referer, $dst_name, $http_status, $http_substatus, $http_win32_status, $bytes_toclient, $bytes_toserver, $response_time
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input in_iis>
Module im_file
File '%IISLOGDIR%\\u_ex*.log'
ReadFromLast True
SavePos True
Recursive True
Charset UTF-8
<Exec>
if $raw_event =~ /^#/ drop();
else {
w3c->parse_csv();
$gmt_time = $date + " " + $time;
$type = "iis";
$hostname = lc($hostname);
$http_useragent = replace($http_useragent, '+', ' ');
}
delete($EventReceivedTime);
delete($SourceModuleName);
delete($SourceModuleType);
delete($http_cookie);
delete($date);
delete($time);
to_json();
</Exec>
</Input>
# Send to Logstash
<Output out_logstash>
Module om_tcp
Host 192.168.0.10
Port 5000
OutputType JSON
</Output>
<Route logstash>
Path in_iis => out_logstash
</Route>