Nxlog Configuration for Windows DHCP, IIS to send to logstash

nxlog.conf

## See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

## Config file structure
##
## nxLog Directory Locations
## Extensions
## IIS Log Parsing Modules (If IIS is detected)
## Input Modules
## Dedupe for Windows Logs
## Output Modules
## Route Modules
##
# Tested on Server 2008, Server 2008 R2 
# Adjust Out modules based on your own logstash configurations

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO


#Extensions----------------------------------------------------------------------------------

<Extension gelf>
		Module  xm_gelf
</Extension>

<Extension json>
        Module  xm_json
</Extension>
#Uncomment this and the file out in the DHCP OUT to check output.
#<Extension fileop>
#    Module   xm_fileop
#</Extension>

#Extensions----------------------------------------------------------------------------------

# Select the input folder where logs will be scanned
# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
# Uncomment Extension w3c for IIS logging
 
# Window Event Log 
<Input in>
Module      im_msvistalog

</Input>

#Fields obtained from DHCP Server logs
<Extension ParseDHCP>
        Module  xm_csv
                
		Fields $ID ,$Date ,$Time ,$Description ,$IPAddress ,$ReportedHostname ,$MACAddress ,$UserName ,$TransactionID ,$QResult ,$Probationtime ,$CorrelationID ,$Dhcid ,$VendorClass(Hex) ,$VendorClass(ASCII) ,$UserClass(Hex) ,$UserClass(ASCII) ,$RelayAgentInformation ,$DnsRegError
        Delimiter       ','
</Extension>

#Used to parse IIS w3c logs, fields are based on logs and may differ based on the system using w3c formatted logs
<Extension w3c1>
        Module  xm_csv
                
		Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs(User-Agent), $sc-status, $sc-substatus, $sc-win32-status, $time-taken
        Delimiter       ' '
</Extension>

#DHCP logs assumed they are located in default location
#Use "sysnative" for DHCP Log location for 32-bit applications to access the SYSTEM32 directory on a 64 Bit System
#Use "system32" for DHCP Log location on 32 Bit systems
<Input DHCP_IN>
    Module      im_file
    File        "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
    SavePos     TRUE
    InputType   LineBased
    Exec $Message = $raw_event;
	
	#Exec if $raw_event =~ /^30/ \
	#	log_info($raw_event);   \
	#	$IDdef = "DNSUpdateRequest";
		
    Exec if $raw_event =~ /^[0-9][0-9],/						\
		{														\
			ParseDHCP->parse_csv();	 							\
			if $raw_event =~ /^00/ $IDdef = "The log was started.";	\
			if $raw_event =~ /^01/ $IDdef = "The log was stopped.";	\
			if $raw_event =~ /^02/ $IDdef = "The log was temporarily paused due to low disk space.";	\
			if $raw_event =~ /^10/ $IDdef = "A new IP address was leased to a client.";	\
			if $raw_event =~ /^11/ $IDdef = "A lease was renewed by a client.";	\
			if $raw_event =~ /^12/ $IDdef = "A lease was released by a client.";	\
			if $raw_event =~ /^13/ $IDdef = "An IP address was found to be in use on the network.";	\
			if $raw_event =~ /^14/ $IDdef = "A lease request could not be satisfied because the scope's address pool was exhausted.";	\
			if $raw_event =~ /^15/ $IDdef = "A lease was denied.";	\
			if $raw_event =~ /^16/ $IDdef = "A lease was deleted.";	\
			if $raw_event =~ /^17/ $IDdef = "A lease was expired and DNS records for an expired leases have not been deleted.";	\
			if $raw_event =~ /^18/ $IDdef = "A lease was expired and DNS records were deleted.";	\
			if $raw_event =~ /^20/ $IDdef = "A BOOTP address was leased to a client.";	\
			if $raw_event =~ /^21/ $IDdef = "A dynamic BOOTP address was leased to a client.";	\
			if $raw_event =~ /^22/ $IDdef = "A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.";	\
			if $raw_event =~ /^23/ $IDdef = "A BOOTP IP address was deleted after checking to see it was not in use.";	\
			if $raw_event =~ /^24/ $IDdef = "IP address cleanup operation has began.";	\
			if $raw_event =~ /^25/ $IDdef = "IP address cleanup statistics.";	\
			if $raw_event =~ /^30/ $IDdef = "DNS update request to the named DNS server.";	\
			if $raw_event =~ /^31/ $IDdef = "DNS update failed.";	\
			if $raw_event =~ /^32/ $IDdef = "DNS update successful.";	\
			if $raw_event =~ /^33/ $IDdef = "Packet dropped due to NAP policy.";	\
			if $raw_event =~ /^34/ $IDdef = "DNS update request failed.as the DNS update request queue limit exceeded.";	\
			if $raw_event =~ /^35/ $IDdef = "DNS update request failed.";	\
			if $raw_event =~ /^36/ $IDdef = "Packet dropped because the server is in failover standby role or the hash of the client ID does not match.";	\
			if $raw_event =~ /^[5-9][0-9]/ $IDdef = "Codes above 50 are used for Rogue Server Detection information.";	\
			if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,0,/ $QResultDef = "NoQuarantine";	\
			if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,1,/ $QResultDef = "Quarantine";	\
			if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,2,/ $QResultDef = "Drop Packet";	\
			if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,3,/ $QResultDef = "Probation";	\
			if $raw_event =~ /^.+,.+,.+,.+,.+,.+,.+,.+,6,/ $QResultDef = "No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond.";	\
			$host			=	hostname_fqdn();				\
			$EventTime 		= 	parsedate($Date + " " + $Time);	\
			$SourceName 	= 	"DHCPEvents";					\
            $Message 		= 	to_json();						\
		}														\
		else													\
            drop();

</Input>
 
 <Input IIS_IN_1>
    Module    im_file
    #File    "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
    File    "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\*.*"
    SavePos  TRUE
	
    Exec if $raw_event =~ /^#/ drop();								\
       else															\
       {															\
            w3c1->parse_csv();	 							\
			$host			=	hostname_fqdn();					\
			$EventTime 	= 	parsedate($date + " " + $time + "Z");		\
			$Time 			= 	($Time +"Z");						\
			$SourceName 	= 	"IIS";						    	\
            $SiteName 		= 	"Default Web Site";							\
            $Message 		= 	to_json();							\
       }
	   
</Input>
 
<Processor dedupe>
Module      pm_norepeat
</Processor>

<Output out>
		Module      om_udp
		OutputType  GELF
		Host        gelflog.cshl.edu
		Port        12201
</Output>

#Uncomment Exec file_write to view output. Usefull for debugging purposes
<Output DHCP_Out>
        Module      om_udp
		OutputType  GELF
		Host        gelflog.cshl.edu
		#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_json.log",  $json);
		#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_message.log",  $message);
		#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_raw.log",  $raw_event);
		Port        12201
</Output>

<Output IIS_Out_1>
        Module      om_udp
		OutputType  GELF
		Host        gelflog.cshl.edu
		Port        12201
</Output>

<Route win_1>
	Path        in => dedupe => out
</Route>

<Route DHCP>
	Path DHCP_IN => DHCP_OUT
</Route>

<Route 1>
	Path IIS_In_1 => IIS_Out_1
</Route>

Using this config file I am getting all logs on log server but these logs are not readable(might be encrypted)
How I can fix this issue?