Windows-IIS.conf

####
## New Relic Logs - Basic Windows Event + IIS config v1.5
## Built in FluentD v1.7.4
## by AI of NR 2/4/2020
##
## Don't forget to add your NR license key to the <match> statement at the bottom of this file.
##

## Windows Event Log Input
<source>
  @type windows_eventlog
  @id windows_eventlog
  tag winevt.raw
  channels application,system,security
  <storage>
    @type local
    persistent true
    path c:/opt/td-agent/winevt.pos
  </storage>
</source>

#
# Windows IIS log parsing.  This config uses the standard W3C format and the standard location for IIS logs.
# It expects the log timestamp to be UTC.
# Change the path below if you store your logs elsewhere.
#
<source>
  @type tail
  tag iislog.raw
  path c:/inetpub/logs/logfiles/*/*
  pos_file c:/opt/td-agent/iislog.pos
  <parse>
    @type regexp
    expression /(?<time>\d{4}-\d{2}-\d{2} [\d:]+) (?<message>.+)/
    time_format %Y-%m-%d %H:%M:%S
	utc true
  </parse>
</source>

<filter iislog.raw>
  @type parser
  key_name message
  remove_key_name_field false
  reserve_data true
  reserve_time true
  <parse>
    @type csv
    delimiter ' '
    keys hostname,req_method,req_uri,cs-uri-query,s_port,cs-username,c_ip,req_ua,req_referer,http_code,sc-substatus,sc-win32-status,time-taken
    null_value_pattern -
    null_empty_string true
  </parse>
</filter>

#
# For a slightly nicer experience, add Service Name (s-sitename) to your log output, comment out the filter above and use this one instead.
#
#<filter iislog.raw>
#  @type parser
#  key_name message
#  remove_key_name_field false
#  reserve_data true
#  reserve_time true
#  <parse>
#    @type csv
#    delimiter ' '
#    keys service_name,hostname,req_method,req_uri,cs-uri-query,s_port,cs-username,c_ip,req_ua,req_referer,http_code,sc-substatus,sc-win32-status,time-taken
#    null_value_pattern -
#    null_empty_string true
#  </parse>
#</filter>

<filter winevt.raw>
  @type record_transformer
  <record>
    message ${record["description"]}
	  hostname ${record["computer_name"]}
  </record>
</filter>

# New Relic output
<match **>
  @type newrelic
  license_key (YourNRLicenseKeyHere)
</match>