vnisor/nxlog_loggly.conf

## nxlog_loggly.conf
## This is a sample NXLog configuration file created by Loggly. June 2013
## See the nxlog reference manual about the configuration options.
## It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert

# Include your own Loggly Customer Token here
define CUSTOMER_TOKEN 2902a312-8d70-4e0f-bb48-64b3e54b6d8f

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
#    Module      xm_fileop
#</Extension>

# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
<Extension w3c>
    Module xm_csv
    Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
    FieldTypes string, string, string, string, string, string, integer, string, string, string, integer, integer, integer, integer
    Delimiter ' '
</Extension>

<Extension json>
    Module      xm_json
</Extension>

<Extension syslog>
   Module xm_syslog
</Extension>

# Nxlog internal logs
<Input internal>
   Module im_internal
   Exec  $Message = to_json();
</Input>

# Watch your own files.
<Input file_watch>
   Module   im_file
   File     "C:\\Program Files (x86)\\nxlog\data\\nxlog.log"
   SavePos  TRUE

   # Include JSON and raw formats
   Exec  $Message = to_json() + " " + $raw_event;
</Input>

# Convert the IIS logs to JSON and use the original event time
<Input IIS_Logs>
   Module    im_file
   File    "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
   SavePos  TRUE

   Exec if $raw_event =~ /^#/ drop(); 				\
       else 							\
       { 							\
           w3c->parse_csv(); 					\
           $EventTime = parsedate($date + " " + $time); 	\
           $SourceName = "IIS";					\
           $Message = to_json();				\
       }
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog

# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog

    Exec  $Message = to_json();
</Input>

<Output out>
   Module om_tcp
   Host logs-01.loggly.com
   Port 514

   # Be sure to replace <CUST_TOKEN> with your unique customer token
   # Any tags specified will be accessible within Loggly. Space separated list.
   Exec to_syslog_ietf(); $raw_event = replace($raw_event, 'NXLOG@14506', '%CUSTOMER_TOKEN%@41058 tag="windows"] [', 1);

   #Use the following line for debugging (uncomment the fileop extension above as well)
   #Exec file_write("C:\\Program Files (x86)\\nxlog\data\\nxlog_output.log",  $raw_event);
</Output>

<Route 1>
   Path internal, file_watch, eventlog, IIS_Logs => out
</Route>
	## This is a sample NXLog configuration file created by Loggly. June 2013
	## See the nxlog reference manual about the configuration options.
	## It should be installed locally and is also available
	## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

	## Please set the ROOT to the folder your nxlog was installed into,
	## otherwise it will not start.

	#define ROOT C:\Program Files\nxlog
	define ROOT C:\Program Files (x86)\nxlog
	define CERTDIR %ROOT%\cert

	# Include your own Loggly Customer Token here
	define CUSTOMER_TOKEN 2902a312-8d70-4e0f-bb48-64b3e54b6d8f

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data
	LogFile %ROOT%\data\nxlog.log

	# Include fileop while debugging, also enable in the output module below
	#<Extension fileop>
	# Module xm_fileop
	#</Extension>

	# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
	<Extension w3c>
	Module xm_csv
	Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
	FieldTypes string, string, string, string, string, string, integer, string, string, string, integer, integer, integer, integer
	Delimiter ' '
	</Extension>

	<Extension json>
	Module xm_json
	</Extension>

	<Extension syslog>
	Module xm_syslog
	</Extension>

	# Nxlog internal logs
	<Input internal>
	Module im_internal
	Exec $Message = to_json();
	</Input>

	# Watch your own files.
	<Input file_watch>
	Module im_file
	File "C:\\Program Files (x86)\\nxlog\data\\nxlog.log"
	SavePos TRUE

	# Include JSON and raw formats
	Exec $Message = to_json() + " " + $raw_event;
	</Input>

	# Convert the IIS logs to JSON and use the original event time
	<Input IIS_Logs>
	Module im_file
	File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
	SavePos TRUE

	Exec if $raw_event =~ /^#/ drop(); \
	else \
	{ \
	w3c->parse_csv(); \
	$EventTime = parsedate($date + " " + $time); \
	$SourceName = "IIS"; \
	$Message = to_json(); \
	}
	</Input>

	# Windows Event Log
	<Input eventlog>
	# Uncomment im_msvistalog for Windows Vista/2008 and later
	Module im_msvistalog

	# Uncomment im_mseventlog for Windows XP/2000/2003
	# Module im_mseventlog

	Exec $Message = to_json();
	</Input>

	<Output out>
	Module om_tcp
	Host logs-01.loggly.com
	Port 514

	# Be sure to replace <CUST_TOKEN> with your unique customer token
	# Any tags specified will be accessible within Loggly. Space separated list.
	Exec to_syslog_ietf(); $raw_event = replace($raw_event, 'NXLOG@14506', '%CUSTOMER_TOKEN%@41058 tag="windows"] [', 1);

	#Use the following line for debugging (uncomment the fileop extension above as well)
	#Exec file_write("C:\\Program Files (x86)\\nxlog\data\\nxlog_output.log", $raw_event);
	</Output>

	<Route 1>
	Path internal, file_watch, eventlog, IIS_Logs => out
	</Route>