Before you begin, you’ll need:

Configure NXLog

Copy this code into your configuration file (C:\Program Files (x86)\nxlog\conf\nxlog.conf by default).

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Replace <<LISTENER-HOST>> with the host for your region. For example, if your account is hosted on AWS US East, or if hosted on Azure West Europe.

define ROOT C:\\Program Files (x86)\\nxlog
define ROOT_STRING C:\\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log
<Extension charconv>
    Module xm_charconv
    AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2

#create one for each application
<Input IIS_Site1>
    Module im_file
    File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*.log"
    SavePos TRUE
    Exec if $raw_event =~ /^#/ drop();
    Exec convert_fields("AUTO", "utf-8");
    Exec $raw_event = '[<<LOG-SHIPPING-TOKEN>>][type=iis]' + $raw_event;
<Output out>
    Module  om_tcp
    Host    <<LISTENER-HOST>>
    Port    8010

<Route IIS>
    Path IIS_Site1 => out
Restart NXLog
PS C:\Program Files (x86)\nxlog> Restart-Service nxlog
Check for your logs

Confirm you’re shipping logs by opening an IIS-hosted webpage in your browser. Give your logs some time to get from your system to ours, and then open Kibana.

If you still don’t see your logs, see log shipping troubleshooting.