- https://www.cnblogs.com/yangjisen/archive/2020/04/26/12779324.html
- 完整配置文件:conf\nxlog.conf
- Panic Soft
- #NoFreeOnExit TRUE
- define ROOT C:\Program Files (x86)\nxlog
- define CERTDIR %ROOT%\cert
- define CONFDIR %ROOT%\conf
- define LOGDIR %ROOT%\data
- define LOGFILE %LOGDIR%\nxlog.log
- LogFile %LOGFILE%
- Moduledir %ROOT%\modules
- CacheDir %ROOT%\data
- Pidfile %ROOT%\data\nxlog.pid
- SpoolDir %ROOT%\data
- <Extension w3c>
- Module xm_csv
- Fields $datetime, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
- FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
- Delimiter ' '
- QuoteChar '"'
- EscapeControl TRUE
- UndefValue -
- </Extension>
- <Extension _syslog>
- Module xm_syslog
- </Extension>
- <Extension _charconv>
- Module xm_charconv
- AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
- </Extension>
- <Extension _exec>
- Module xm_exec
- </Extension>
- <Extension _fileop>
- Module xm_fileop
- # Check the size of our log file hourly, rotate if larger than 5MB
- <Schedule>
- Every 1 hour
- Exec if (file_exists('%LOGFILE%') and \
- (file_size('%LOGFILE%') >= 5M)) \
- file_cycle('%LOGFILE%', 8);
- </Schedule>
- # Rotate our log file every week on Sunday at midnight
- <Schedule>
- When @weekly
- Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
- </Schedule>
- </Extension>
- <Input IISin>
- Module im_file
- # IIS日志目录,文件名支持通配符,文件夹不支持
- File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"
- SavePos TRUE
- # 忽略以#开头的日志行
- # 编码转换为GBK(我的日志审计服务器默认为GBK编码,而IIS日志的编码为UTF-8,请按实际情况设置)
- # 合并日期与时间为一个字段
- # 解析为CSV格式
- # 通过xm_csv模块对W3C扩展日志进行解析
- # 将合并后的日期与时间作为EventTime(发生时间),并增加GMT标志(+00:00)解决IIS8小时时差问题
- Exec if $raw_event =~ /^#/ drop(); \
- else \
- { \
- convert_fields("AUTO", "GBK"); \
- $raw_event = replace($raw_event, ' ', '@', 1); \
- w3c->parse_csv(); \
- $raw_event = replace($raw_event, ' ', "\t"); \
- $raw_event = replace($raw_event, '@', ' ', 1); \
- $EventTime = parsedate(replace($datetime, '@', ' ', 1) + '+00:00'); \
- }
- </Input>
- <Output IISout>
- Module om_udp
- Host 10.168.100.1
- Port 514
- Exec to_syslog_bsd();
- </Output>
- <Route 1>
- Path IISin => IISout
- </Route>