Can't get IIS Log row to match Grok-pattern

Elastic Stack Logstash
1

Hello,

I'm getting grokfailures on some of the lines on my IIS log parsing and currently i'm banging my head towards a wall. :slight_smile:

My pattern look like this:

%{TIMESTAMP_ISO8601:iis.access.time} %{IPORHOST:destination.address} %{WORD:http.request.method} %{URIPATH:url.path} %{NOTSPACE:url.query} %{NUMBER:destination.port:long} %{NOTSPACE:user.name} %{IPORHOST:source.address} %{NOTSPACE:user_agent.original} %{NOTSPACE:http.request.referrer} %{NUMBER:http.response.status_code:long} %{NUMBER:iis.access.sub_status:long} %{NUMBER:iis.access.win32_status:long} %{NUMBER:http.response.body.bytes:long} %{NUMBER:http.request.body.bytes:long} %{NUMBER:event.duration:long} %{IPORHOST:temp.proxy.ip}

And I want to match this row (probably more later):

2019-09-30 00:34:07 1.1.1.1 GET / - 443 - 2.2.2.2 Pingdom.com_bot_version_1.4_(http://www.pingdom.com/),Pingdom.com_bot_version_1.4_(http://www.pingdom.com/) - 200 0 0 40844 206 204 -

Can you see see something obvious? :slight_smile:

2

- does not match IPORHOST. IPORHOST can contain -, but cannot start with it.

3

Agree with Badger. Put {IPORHOST:temp.proxy.ip}? as you last match (basically add a question mark at the end of the grok).

1 Like
4

Thanks! :slight_smile:
But what difference makes ? at the end?

5

It makes all the difference. Because if you don't put the ?, he looks for an IP or an HOST, find a - and breaks. If you put the ? it looks for 0 or 1 occurrence of IP or HOST. It means that if it doesn't match any occurrences (as in your case since it finds - which is not matched by IPORHOST) it doesn't break.

1 Like
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.