In this quick tutorial, we will show you how to collect, send and forward IIS logs to the Graylog 2 Server using nxlog.
This tutorial assumes you have already installed Graylog 2 Server and Nxlog on your windows servers. If you don’t installed yet Graylog 2 Server or Nxlog you can check the following topics:
- How To Install and Configure Graylog Server on Ubuntu 16.04 LTS
- How To Install and Configure Graylog Server on CentOS 7/ RHEL7
- How to Configure Nginx As Reverse Proxy for Graylog2
- How to Collect Windows Event Logs to Graylog2 using NXLog
Configure NXLog
– Open the nxlog.conf file and modified as below, make sure to replace the YOUR_GRAYLOG_IP with the IP address of your Graylog Server instead and C:\inetpub\logs\LogFiles\W3SVC1\u_ex* with the path of your iis Logs directory:
####################################################################### #### EXTENTIONS ##### ####################################################################### <Extension _gelf> Module xm_gelf </Extension> <Extension _json> Module xm_json </Extension> ####################################################################### #### IIS NXLOG ###### ####################################################################### <Extension w3c> Module xm_csv Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*" SavePos TRUE Exec if $raw_event =~/^#/ drop();\ else\ {\ w3c->parse_csv();\ $EventTime = parsedate($date + " " + $time);\ $EventTime = parsedate($date + " " + $time + "Z");\ $SourceName = "IIS";\ $raw_event = to_json();\ } </Input> <Output graylog> Module om_udp Host YOUR_GRAYLOG_IP Port 12201 OutputType GELF Exec $Hostname = hostname_fqdn(); Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event; #Use the following line for debugging (uncomment the fileop extension above as well) #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event); </Output> <Route iis-to-graylog> Path iis => graylog </Route> ####################################################################### #### /IIS NXLOG ##### #######################################################################
Create a Graylog Input
-1/ Login to Graylog Web Interface using the below link (change according to the IP of the machine you are using), if you want to :
-2/ Click on System/Inputs , and choose Inputs
-3/ Choose GELF UDP and click on Launch new input
-4/ A new popup will show. Choose a relevant Title for your input, choose the Bind address should be the IP of the Graylog machine and finaly save.
Result
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
1 comment
Don’t work before adding to EXTENTIONS this section:
Module xm_fileop