Custom field not appearing in o/p for IIS.yml module

imti283 · April 12, 2020, 9:57am

Hi,

I am using IIS module in filebeat to ship logs to my logstash. As, I have multiple environment and sites, i am trying to add custom field in iis.yml module to make my logstash work easy and create index based on enviroment. Below is my iis.yml file -

# Module: iis
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.6/filebeat-module-iis.html

- module: iis
  # Access logs
  access:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["D:/Logs/W3SVC1/*.log"]
    exclude_line: ['^.*ELB-HealthChecker.*$']
    fields: {log_type: iisnonpro}

  # Error logs
  error:
    enabled: false

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

But its not adding the custom field iisnonpro, while i output filebeat -

Kaiyan_Sheng · April 13, 2020, 11:04pm

Hi! I tried with similar config like below and also didn't see the custom field log_type.

- module: iis
  # Access logs
  access:
    enabled: true
    var.paths: ["D:/Logs/W3SVC1/*.log"]
    exclude_line: ['^.*ELB-HealthChecker.*$']
    fields:
      log_type: iisnonpro

  # Error logs
  error:
    enabled: false

I also gave Custom Fields with Module Config a try, no luck. I will look into this a bit more and get back to you. Thank you for posting here!

Kaiyan_Sheng · April 14, 2020, 2:34pm

@imti283 Just found the problem! The correct syntax is

- module: system
  # Syslog
  syslog:
    enabled: true
    input:
      fields:
        testfield: iisnonpro

I used system Filebeat module for testing and the custom field I got from Filebeat looks like this:

So in your case with iis module, the config should look like:

- module: iis
  # Access logs
  access:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["D:/Logs/W3SVC1/*.log"]
    exclude_line: ['^.*ELB-HealthChecker.*$']
    input:
      fields:
        log_type: iisnonpro

  # Error logs
  error:
    enabled: false

imti283 · April 17, 2020, 11:38am

Thanks a lot @Kaiyan_Sheng . Will test quickly and come back.

Edit1: Yes it is working:-)

system · May 15, 2020, 11:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configuration problem Beats filebeat	2	299	August 7, 2018
IIS Custom Fields logging in Elasticsearch with Filebeat Beats filebeat	2	915	August 21, 2020
IIS module fields Beats filebeat	3	351	February 5, 2019
IIS module fields doesn't show up in discover page Beats filebeat	1	719	March 1, 2019
IIS Filebeat module exclude_lines not working Beats filebeat	4	845	April 30, 2019

Custom field not appearing in o/p for IIS.yml module

Related topics