## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
# Include fileop when rotating logs or while debugging, also enable in the output module below
#
# Module xm_fileop
#
# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
Delimiter ' '
Module xm_json
Module xm_syslog
Module im_internal
Exec $Message = to_json();
#This is the Windows Event Log Section - for 2008 and above use im_msvistalog - for 2003 and earlier, use im_mseventlog
#
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
Exec $raw_event = to_json();
# Convert the IIS logs to JSON and use the original event time
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
$raw_event = to_json(); \
}
Path eventlog => eventlog_out
Path IIS_Site1 => IIS_Site1_out