Before you begin, you’ll need:

Configure NXLog

Copy this code into your configuration file (C:\Program Files (x86)\nxlog\conf\nxlog.conf by default).

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Replace <<LISTENER-HOST>> with your region’s listener host (for example, For more information on finding your account’s region, see Account region.

define ROOT C:\\Program Files (x86)\\nxlog
define ROOT_STRING C:\\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log
<Extension charconv>
    Module xm_charconv
    AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2

#create one for each application
<Input IIS_Site1>
    Module im_file
    File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*.log"
    SavePos TRUE
    Exec if $raw_event =~ /^#/ drop();
    Exec convert_fields("AUTO", "utf-8");
    Exec $raw_event = '[<<LOG-SHIPPING-TOKEN>>][type=iis]' + $raw_event;
<Output out>
    Module  om_tcp
    Host    <<LISTENER-HOST>>
    Port    8010

<Route IIS>
    Path IIS_Site1 => out
Restart NXLog
PS C:\Program Files (x86)\nxlog> Restart-Service nxlog
Check for your logs

Confirm you’re shipping logs by opening an IIS-hosted webpage in your browser. Give your logs some time to get from your system to ours, and then open Kibana.

If you still don’t see your logs, see log shipping troubleshooting.