CODEWITHSUNDEEP
regexiisconfignxlogiis-logs
Ankur Gangwar
Ankur Gangwar

Reputation: 1

Need regex of IIS server logs for nxLog-ce config

I have set up an IIS server in my windows-11 System, and deployed a sample node.js application. I also have nxLog-ce running on the system. I am trying to read, parse and send the IIS logs to a remote rsyslog server connected to my windows System. So, in my nxLog config, I am reading IIS server log file using regex. The config is as follows:

#sending iis server logs
<Input iis>
     Module      im_file
     File        "C:\inetpub\logs\LogFiles\W3SVC1\u_ex231010.log"
     SavePos     False
     InputType   LineBased
     ReadFromLast False
     <Exec>
        if $raw_event =~ /^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}) ([^ ]+) ([^ ]+) ([^ ]+) (\d+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+)/ {
            $second=$1;
            $third=$2;
            $fourth=$3;
            $fifth=$4;
            $sixth=$5;
            $seventh=$6;
        }
     </Exec>
</Input>

And the iis server log sample is as following:

2023-10-10 04:53:12 ::1 GET /node - 80 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/117.0.0.0+Safari/537.36 - 404 0 2 371

Not a single key(Method, UriStem etc) coming in the logs recived in rsyslog:

Oct 10 12:59:27 10.228.13.4  {"EventReceivedTime":"2023-10-10 12:59:28","SourceModuleName":"iis","SourceModuleType":"im_file"}#015

I think that the if condition(given in the config under ) is not working because regex is wrong.

I have tried the following regex:

20[0-9][0-9]-[01][0-9]-[0-3][0-9] [0-2][0-9]:[0-5][0-9]:[0-5][0-9] .* [a-zA-Z]* .* - [0-9][0-9]+ - .* [a-zA-Z0-9\.\-\ ]+\/[0-9\.\-a-zA-Z\+]*.* - [0-9][0-9]+ [0-9]+ [0-9]+ [0-9]+

Using this regex, i am able to find the keys in the logs recieved in rsyslog server, but the value for each custom key recieved is null:

Oct 10 12:59:27 10.228.13.4  {"EventReceivedTime":"2023-10-10 12:59:28","SourceModuleName":"iis","SourceModuleType":"im_file","second":null,"third":
null,"fourth":null,"fifth":null,"sixth":null,"seventh":null}#015

Can someone please suggest what regex should i put in the nxLog-ce config so that i can get the keys with the values. Or is there anything i am doing wrong here, any suggestion would be helpful.

Upvotes: 0

Views: 193

Answers (1)

YurongDai
YurongDai

Reputation: 2400

There are 15 standard fields in the iis server log sample you provided, I think you may need to increase the number of capturing groups in your regular expression. Please try the regular expression below:

     <Exec>
        if $raw_event =~ /^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+)/ 
        {
            $second=$1;
            $third=$2;
            $fourth=$3;
            $fifth=$4;
            $sixth=$5;
            $seventh=$6;
        }
     </Exec>

Upvotes: 0

Related Questions