Adding tags to IIS logs

I'm having a similar problem. I'm sending Windows event logs and IIS logs to logstash using nxlog. I have successfully added tags to the event logs to help identify the environments and host groups using this technique:

In nxlog.conf output section I've added a couple of Exec's to define the environment and hostgroups:

Module      om_tcp
Host        uscomp2947
Port        3515
Exec     $EventReceivedTime = integer($EventReceivedTime) / 1000000; \
            to_json();
Exec	$Environment = 'dev'; \
	to_json();
Exec	$Hostgroup = 'DVS'; \
	to_json();

And the logstash.conf I'm using is pretty standard for event logs. I haven't added any additional filters to cope with the environment and hostgroup tags. It just works and the tags are visible in Kibana...

if [type] == "eventlog" {
# Incoming Windows Event logs from nxlog
mutate {
    # Lowercase some values that are always in uppercase
    lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
    }
mutate {
# Set source to what the message says
rename => [ "Hostname", "@source_host" ]
    }
date {
# Convert timestamp from integer in UTC
match => [ "EventReceivedTime", "UNIX" ]
    }
mutate {
# Rename some fields into something more useful
rename => [ "Message", "@message" ]
rename => [ "Severity", "eventlog_severity" ]
rename => [ "SeverityValue", "eventlog_severity_code" ]
rename => [ "Channel", "eventlog_channel" ]
rename => [ "SourceName", "eventlog_program" ]
rename => [ "SourceModuleName", "nxlog_input" ]
rename => [ "Category", "eventlog_category" ]
rename => [ "EventID", "eventlog_id" ]
rename => [ "RecordNumber", "eventlog_record_number" ]
rename => [ "ProcessID", "eventlog_pid" ]
    }
mutate {
# Remove redundant fields
remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
    }

I've tried doing the same with the IIS logs, but it doesn't work. Whenever I add additional tags, the grok parser in logstash fails.

Here's the nxlog.conf...

Module    im_file
File    "D:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"
SavePos  TRUE 

Exec if $raw_event =~ /^#/ drop();				\
   else							\
   {							\
        w3c->parse_csv();					\
        $EventTime = parsedate($date + " " + $time);	\
        $SourceName = "iis_inst1";				\
        $Message = to_json();				\
   }

And here's the logstash.conf...

filter {
if [type] == "iis" {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:hostip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:query} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientip} %{NOTSPACE:useragent} %{NOTSPACE:referrer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:timetaken}"]
match => ["Environment", "%{WORD:environment}"]
match => ["Hostgroup", "%{WORD:hostgroup}"]
}
}

Module  om_tcp
Host    uscomp2947
Port    3516
Exec	$Environment = 'dev'; \
	to_json();
Exec	$Hostgroup = 'DVS'; \
	to_json();

I'm obviously doing something wrong here. Any advice would be much appreciated :slight_smile: