https://www.cnblogs.com/yangjisen/archive/2020/04/26/12779324.html 完整配置文件:conf\nxlog.conf Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_csv Fields $datetime, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $time-taken FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string Delimiter ' ' QuoteChar '"' EscapeControl TRUE UndefValue - Module xm_syslog Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 Module xm_exec Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); # Rotate our log file every week on Sunday at midnight When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); Module im_file # IIS日志目录,文件名支持通配符,文件夹不支持 File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log" SavePos TRUE # 忽略以#开头的日志行 # 编码转换为GBK(我的日志审计服务器默认为GBK编码,而IIS日志的编码为UTF-8,请按实际情况设置) # 合并日期与时间为一个字段 # 解析为CSV格式 # 通过xm_csv模块对W3C扩展日志进行解析 # 将合并后的日期与时间作为EventTime(发生时间),并增加GMT标志(+00:00)解决IIS8小时时差问题 Exec if $raw_event =~ /^#/ drop(); \ else \ { \ convert_fields("AUTO", "GBK"); \ $raw_event = replace($raw_event, ' ', '@', 1); \ w3c->parse_csv(); \ $raw_event = replace($raw_event, ' ', "\t"); \ $raw_event = replace($raw_event, '@', ' ', 1); \ $EventTime = parsedate(replace($datetime, '@', ' ', 1) + '+00:00'); \ } Module om_udp Host 10.168.100.1 Port 514 Exec to_syslog_bsd(); Path IISin => IISout