# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file. Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - # Convert the IIS logs to JSON and use the original event time Module im_file File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $SourceName = "IIS"; \ $Message = $raw_event; \ } Module im_file File "C:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c->parse_csv(); \ $SourceName = "IIS"; \ $Message = $raw_event; \ } Module om_tcp Host 10.32.34.27 Port 5142 Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message"); Exec $raw_event = to_json(); # Uncomment for debug output # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n"); Path IIS_Site => IIS-out Path IIS_Site_alt => IIS-out