# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
<Extension w3c>
    Module xm_csv
    Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
    FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
    Delimiter ' '
    QuoteChar '"'
    EscapeControl FALSE
    UndefValue -
</Extension>

# Convert the IIS logs to JSON and use the original event time
<Input IIS_Site>
    Module    im_file
    File    "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
    SavePos  TRUE
 
    Exec if $raw_event =~ /^#/ drop();          \
       else                                     \
       {                                        \
            w3c->parse_csv();                   \
            $SourceName = "IIS";                \
            $Message = $raw_event;              \
       }
</Input>
<Input IIS_Site_alt>
    Module    im_file
    File    "C:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex*"
    SavePos  TRUE
 
    Exec if $raw_event =~ /^#/ drop();          \
       else                                     \
       {                                        \
            w3c->parse_csv();                   \
            $SourceName = "IIS";                \
            $Message = $raw_event;              \
       }
</Input>

<Output IIS-out>
    Module om_tcp
    Host 10.32.34.27
    Port 5142
    Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
	Exec $raw_event = to_json();
    # Uncomment for debug output
    # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

<Route IIS>
    Path IIS_Site => IIS-out
	Path IIS_Site_alt => IIS-out
</Route>