Add new additional field from IIS log

Hi,

I am hoping someone can help me out, I am new to elastic and am testing the Elastic.co hosted service.

I have an IIS log that has an additional field at the end, which is an IP address (in bold).

2020-03-31 09:32:58 10.1.1.1 GET /test - 443 - 10.1.1.1 HTTP/1.1 Mozilla/5.0+(X11;+Linux+x86_64;+rv:45.0)+Gecko/20100101+Firefox/45.0 - test.domain.com 200 0 0 49803 663 359 4.4.4.4

I have updated the IIS module default.json file located at C:\dir\module\iis\access\ingest to include a grok pattern to pick up the new IP address field %{IPORHOST:iis.access.userip}, I tested this in the grok debugger and it parses the IP in to a field called userip.

The log file has now been ingested and is searchable in Kibana, but I can not see the additional field. After looking at a lot of documentation I can see that I likely need to update the index, but my lack of knowledge has made this confusing.

Any help would be greatly appreciated!

Jay

Hi @coopx!

In order to update indexes, mappings etc you need sth like this: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-template.html

Beyond this, I don't think that just by adding this extra parsing part will be able to work out of the box. Fields are documented and defined so as to apply to the field mappings accordingly. See: https://github.com/elastic/beats/blob/master/filebeat/module/iis/access/_meta/fields.yml. This makes your approach quite hacky :), which is ok but you have to deal with all these internal stuff.

Since you just want this extra field I would suggest you checking script_processor and try to extract the extra field from the original message.

1 Like

Thanks so much @ChrsMark for taking the time to reply.

This is exactly the help I needed, it looks like the script_processor will do the job.

Have a great day, I'll update this thread with the solution once I have it sorted on the off chance it helps someone else.