NXLOG 配置
#define ROOT C:Program Files xlog
define ROOT C:Program Files (x86) xlog
Moduledir %ROOT%modules
CacheDir %ROOT%data
Pidfile %ROOT%data xlog.pid
SpoolDir %ROOT%data
LogFile %ROOT%data xlog.log
<Extension w3c>
Module xm_csv
Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
FieldTypes string, string, string, string, string, string, integer, string, string, string, integer, integer, integer, integer
Delimiter ' '
</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input IIS_Logs>
Module im_file
File "C:inetpublogsLogFilesW3SVC18u_ex*.log"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop();
else
{
w3c->parse_csv();
$EventTime = parsedate($date + "T" + $time+"Z");
$SourceName = "IIS";
}
</Input>
<Output IIS_out>
Module om_tcp
Host 127.0.0.1
Port 5545
Exec to_json();
</Output>
<Route 2>
Path IIS_Logs => IIS_out
</Route>
Logstash 配置
input {
tcp {
port=>5545
type=>"iis-input"
codec => "json"
}
}
output {
if [type]=="iis-input" {
elasticsearch {
hosts => ["localhost:9200"]
index=>"logstash-%{type}-%{+YYYY.MM.dd}"
document_type=>"%{type}"
}
}
}