-
Notifications
You must be signed in to change notification settings - Fork 4
/
all-log-types-nxlog.conf
146 lines (128 loc) · 4.03 KB
/
all-log-types-nxlog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
# nxlog internal log rotation and retention
define NXLOGFILE %ROOT%\data\nxlog.log
# Custom variables
define IISLOGDIR c:\inetpub\logs\LogFiles
<Extension fileop>
Module xm_fileop
# Check the size of our log file every x time and rotate if it is larger than x MB
<Schedule>
Every 1 min
Exec if (file_size('%NXLOGFILE%') >= 20M) file_cycle('%NXLOGFILE%', 5);
</Schedule>
# Rotate our log file every week on sunday at midnight
<Schedule>
When @weekly
Exec file_cycle('%NXLOGFILE%', 5);
</Schedule>
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
<Processor disk_buffer>
Module pm_buffer
MaxSize 200000
WarnLimit 190000
Type Disk
</Processor>
# Perfmon input configs
<Extension perfmon>
Module xm_csv
Fields $EventTime,\
$processor_time,\
$memory_available,\
$disk_idle_time, $disk_sec_pread, $disk_sec_pwrite, $disk_reads_psec, $disk_writes_psec, $disk_read_bytes_psec, $disk_write_bytes_psec, $disk_queue_length
Delimiter ','
QuoteChar '"'
EscapeControl FALSE
UndefValue -1
</Extension>
<Input in_perfmon>
Module im_exec
Command c:\windows\system32\typeperf.exe
Arg \Processor Information(_Total)\% Processor Time
Arg \Memory\Available Bytes
Arg \LogicalDisk(_Total)\% Idle Time
Arg \LogicalDisk(_Total)\Avg. Disk sec/Read
Arg \LogicalDisk(_Total)\Avg. Disk sec/Write
Arg \LogicalDisk(_Total)\Disk Reads/sec
Arg \LogicalDisk(_Total)\Disk Writes/sec
Arg \LogicalDisk(_Total)\Disk Read Bytes/sec
Arg \LogicalDisk(_Total)\Disk Write Bytes/sec
Arg \LogicalDisk(_Total)\Current Disk Queue Length
Arg -si
Arg 10
InputType LineBased
<Exec>
if $raw_event =~ /^\"\(/ drop();
if $raw_event =~ s/\" \"/-1/g ;
perfmon->parse_csv();
$hostname = lc(hostname());
$type = "performance";
delete($EventReceivedTime);
delete($SourceModuleName);
delete($SourceModuleType);
to_json();
</Exec>
</Input>
### IIS Log
<Extension w3c>
Module xm_csv
Fields $date, $time, $site_name, $hostname, $dst_ip, $http_method, $path, $http_query, $dst_port, $username, $src_ip, $http_version, $http_useragent, $http_cookie, $http_referer, $dst_name, $http_status, $http_substatus, $http_win32_status, $received_bytes, $sent_bytes, $response_time
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input in_iis>
Module im_file
File '%IISLOGDIR%\\u_ex*.log'
ReadFromLast True
SavePos True
Recursive True
<Exec>
if $raw_event =~ /^#/ drop();
else {
w3c->parse_csv();
$gmt_time = $date + " " + $time;
$type = "iis";
$hostname = lc($hostname);
$http_useragent = replace($http_useragent, '+', ' ');
}
delete($EventReceivedTime);
delete($SourceModuleName);
delete($SourceModuleType);
delete($http_cookie);
delete($date);
delete($time);
to_json();
</Exec>
</Input>
# Send to Logstash
<Output out_logstash>
Module om_tcp
Host 192.168.0.10
Port 5000
OutputType LineBased
</Output>
<Route logstash_disk_buffer>
Path in_perfmon => disk_buffer => out_logstash
</Route>
<Route logstash>
Path in_iis => out_logstash
</Route>