IIS logs to Logstash with nxlog

iislogginglogstashnxlog

I'm trying to join the date+time fields from the IIS log into the EventTime field for logstash digestion. This is my nxlog.conf file:

<Input iis1>
  #drop comment lines, join the date+time fields into an EventTime field, convert to json
    Module      im_file
    File 'C:\inetpub\logs\LogFiles\W3SVC2\u_ex*.log'
    ReadFromLast TRUE
    Exec        if $raw_event =~ /^#/ drop();                    \
                else                                             \
                {                                                \
                    w3c->parse_csv();                            \
                    $EventTime = parsedate($date + " " + $time); \
                    to_json ();                                  \
                }
</Input>

This is the error I get:

2013-07-22 06:11:29 ERROR if-else failed at line 51, character 391 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 51, character 228 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; invalid modifier: '-'

I'm not sure how else I can go about dealing with the date+time field. Any alternative or suggestions are welcome. Thanks!

Best Answer

You probably have an integer in the FieldTypes of your w3c xm_csv module instance. Unfortunately it cannot handle the dash '-' and fails parsing it as an integer.

You should add the UndefValue to your CSV options so that it knows a dash means no data:

<Extension w3c>
    Module      xm_csv
    Fields  $date $time $s-sitename $s-computername $s-ip $cs-method $cs-uri-stem $cs-uri-query $s-port $cs-username $c-ip $cs-version $cs-user-agent $cs-cookie $cs-referer $cs-host $sc-status $sc-substatus $sc-win32-status $sc-bytes $cs-bytes $time-taken
    Delimiter   ' '
    QuoteChar   '"'
    EscapeControl FALSE
    UndefValue  -
</Extension>
Related Topic