unable to fetch IIS log

[Adeel]

Here is the contents of nxlog.conf. we are not receiving IIS but receiving eventlogs. Please suggest what is wrong in it.


#############################################################################
## See the nxlog reference manual at
## http://nxlog.org/nxlog-docs/en/nxlog-re ... anual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
# Module im_msvistalog

# Uncomment im_mseventlog for Windows XP/2000/2003
Module im_mseventlog
</Input>

<Output out>
Module om_tcp
Host 172.20.20.23
Port 3515

Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();

# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

#<Route 1>
# Path internal, file1, eventlog => out
#</Route>


# Watch your IIS log files
<Input iis_log1>
Module im_file
File 'C:\WINDOWS\system32\LogFiles\W3SVC1\ex*.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>

<Route 1>
Path internal, file1, eventlog, iis_log1 => out
</Route>

##############################################################

[mcapra]

Can you enable your nxlog configuration's debug output, restart the nxlog service, and see what that file contains?

Code: Select all

# Uncomment for debug output
Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");

Can you also share the contents of your Nagios Log Server machine's logstash log? It's usually located at /var/log/logstash/logstash.log.

[Adeel]

Here is the output nxlog.log after uncomment the degub mode

___________________________________________________________________
2016-11-23 09:30:53 INFO nxlog-ce-2.9.1347 started
2016-11-23 09:30:53 INFO connecting to 172.20.20.23:3515
2016-11-23 09:31:25 WARNING stopping nxlog service
2016-11-23 09:31:25 WARNING nxlog-ce received a termination request signal, exiting...
2016-11-23 09:31:29 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:59; couldn't parse statement at line 59, character 83 in C:\Program Files\nxlog\conf\nxlog.conf; procedure 'file_write()' does not exist or takes different arguments
2016-11-23 09:31:29 ERROR module 'out' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:80
2016-11-23 09:31:29 ERROR route 1 is not functional without output modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:80
2016-11-23 09:31:29 WARNING no routes defined!
2016-11-23 09:31:29 WARNING not starting unused module internal
2016-11-23 09:31:29 WARNING not starting unused module file1
2016-11-23 09:31:29 WARNING not starting unused module eventlog
2016-11-23 09:31:29 WARNING not starting unused module out
2016-11-23 09:31:29 WARNING not starting unused module iis_log1
2016-11-23 09:31:29 INFO nxlog-ce-2.9.1347 started
#######################################################################################################################

[rkennedy]

Can you please post your nxlog configuration file as an attachment for us? I am looking at line #59, and it appears to be commented out here -

Code: Select all

59 # Uncomment for debug output
60 # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");

[Adeel]

## See the nxlog reference manual at
## http://nxlog.org/nxlog-docs/en/nxlog-re ... anual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
# Module im_msvistalog

# Uncomment im_mseventlog for Windows XP/2000/2003
Module im_mseventlog
</Input>

<Output out>
Module om_tcp
Host 172.20.20.23
Port 3515

Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();

# Uncomment for debug output
Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

#<Route 1>
# Path internal, file1, eventlog => out
#</Route>


# Watch your IIS log files
<Input iis_log1>
Module im_file
File 'C:\WINDOWS\system32\LogFiles\W3SVC1\ex*.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>

#<Route 1>
# Path internal, eventlog, iis_log1 => out
#</Route>

<Route 1>
Path internal, file1, eventlog, iis_log1 => out
</Route>

[mcapra]

Hmm, re-comment the debug output so it's excluded:

Code: Select all

# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");

Restart the nxlog service, and share the contents of your nxlog.log file.