IIS Dashboard

[TexasSTX]

Howdy!

I'm fairly new to Nagios Log Server. I've been successful in setting up other dashboards, but I'm having issues setting up the IIS Dashboard.

I've added the modifications to the .conf file:

Code: Select all

# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
<Extension w3c>
    Module xm_csv
    Fields $date, $time, $s-sitename, $s-computername, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
    FieldTypes string, string, string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
    Delimiter ' '
    QuoteChar '"'
    EscapeControl FALSE
    UndefValue -
</Extension>

# Convert the IIS logs to JSON and use the original event time
<Input IIS_Site>
    Module    im_file
    File    "D:\\Logs\\IIS\\devcorps\\W3SVC34\\u_ex*"
    SavePos  TRUE
 
    Exec if $raw_event =~ /^#/ drop();          \
       else                                     \
       {                                        \
            w3c->parse_csv();                   \
            $SourceName = "IIS";                \
            $Message = $raw_event;              \
       }

Code: Select all

<Output IIS-out>
    Module om_tcp
    Host xxx.xxx.xxx.xxx
    Port 5142
    Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
	Exec $raw_event = to_json();
    # Uncomment for debug output
    # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

<Route IIS>
    Path IIS_Site => IIS-out
</Route>

Created the following Input:

Code: Select all

tcp {
    type => 'IIS_requests'
    tags => 'IIS_requests'
    port => 5142
    codec => json
}

And created the following filter:

Code: Select all

if [type] == 'IIS_Requests' {
  grok {
    match => ['message', '%{DATESTAMP:timestamp} %{IPORHOST:hostip} %{WORD:method} %{URIPATH:request} (?:%{NOTSPACE:param}|-) %{NUMBER:port} (?:%{USER:username}|-) %{IPORHOST:clientip} (?:%{NOTSPACE:agent}|-) - %{NUMBER:response} %{NUMBER:status} %{NUMBER:sub-status} %{NUMBER:time-taken}']
  }
  date {
    match => ["timestamp", "yyyy-MM-dd HH:mm:ss"]
  }
  geoip {
    source => "c-ip"
  }    
}

I've also ensured that port 5142 TCP is open in the firewall.

Code: Select all

[root@FT-NagiosLS logstash]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: ssh dhcpv6-client
  ports: 80/tcp 443/tcp 9300-9400/tcp 3515/tcp 5544/tcp 2056/tcp 2057/tcp 5544/udp 5142/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

What am I missing? I'm not getting any information to populate either the queries or the dashboard.

Thanks

[scottwilkerson]

You are missing the input that specifies the file to send, such as

Code: Select all

<Input iis_w3c>
    Module      im_file
    File        'C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log'
    InputType  w3c
</Input>

There are examples to be seen in nxlog's documentation
https://nxlog.co/documentation/nxlog-us ... ll#iis_w3c

[TexasSTX]

First bit of code was a little long, but I did include:

Code: Select all

# Convert the IIS logs to JSON and use the original event time
<Input IIS_Site>
    Module    im_file
    File    "D:\Logs\IIS\devcorps\W3SVC34\u_ex*"
    SavePos  TRUE

    Exec if $raw_event =~ /^#/ drop();          \
       else                                     \
       {                                        \
            w3c->parse_csv();                   \
            $SourceName = "IIS";                \
            $Message = $raw_event;              \
       }
</Input>

That should cover it, no?

That was pulled directly from the configs on the exchange site.

Thanks again!

[scottwilkerson]

Sorry I missed that, but I think you need to change this

Code: Select all

File    "D:\Logs\IIS\devcorps\W3SVC34\u_ex*"

to this

Code: Select all

File    'D:\Logs\IIS\devcorps\W3SVC34\u_ex*'

If you use the double quotes you would need to double up the backslashes

[TexasSTX]

OK, got it all working except the geoip portion.

One other question though, because we have hundreds of sites that we manage, is there way to recursively monitor log files or would we have to create alternate sites inputs for each site?

Thanks for the help!

[scottwilkerson]

One other question though, because we have hundreds of sites that we manage, is there way to recursively monitor log files or would we have to create alternate sites inputs for each site?

You can add wild cards, instead of this

Code: Select all

File    'D:\Logs\IIS\devcorps\W3SVC34\u_ex*'

you can use this

Code: Select all

File    'D:\Logs\IIS\devcorps\W3SVC*\u_ex*'

[TexasSTX]

but is there way to do it recursively through folders? We have a folder for each site, for example:

'D:\Logs\IIS\devA\W3SVC34\u_ex*'
'D:\Logs\IIS\devB\W3SVC35\u_ex*'
'D:\Logs\IIS\devC\W3SVC36\u_ex*'
'D:\Logs\IIS\devD\W3SVC37\u_ex*'

I tried 'D:\Logs\IIS\...\*.log', but it didn't seem to work out as planned. =)

[scottwilkerson]

Looks like you need this
(removing the W3SVCxx directory)

Code: Select all

File    'D:\Logs\IIS\devcorps\u_ex*'

https://nxlog.co/docs/nxlog-ce/nxlog-re ... onfig_file

Code: Select all

Recursive

    If set to TRUE, this boolean directive specifies that input files should be searched recursively under sub-directories. This option takes effect only if wildcards are used in the filename. For example, if the File directive is set to /var/log/*.log, then /var/log/apache2/access.log will also match. Because directory wildcards are not supported, this directive only makes it possible to read multiple files from different sub-directories with a single im_file module instance. The default is TRUE.