Custom field not appearing in o/p for IIS.yml module

Hi,

I am using IIS module in filebeat to ship logs to my logstash. As, I have multiple environment and sites, i am trying to add custom field in iis.yml module to make my logstash work easy and create index based on enviroment. Below is my iis.yml file -

# Module: iis
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.6/filebeat-module-iis.html

- module: iis
  # Access logs
  access:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["D:/Logs/W3SVC1/*.log"]
    exclude_line: ['^.*ELB-HealthChecker.*$']
    fields: {log_type: iisnonpro}

  # Error logs
  error:
    enabled: false

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

But its not adding the custom field iisnonpro, while i output filebeat -

Hi! I tried with similar config like below and also didn't see the custom field log_type.

- module: iis
  # Access logs
  access:
    enabled: true
    var.paths: ["D:/Logs/W3SVC1/*.log"]
    exclude_line: ['^.*ELB-HealthChecker.*$']
    fields:
      log_type: iisnonpro

  # Error logs
  error:
    enabled: false

I also gave Custom Fields with Module Config a try, no luck. I will look into this a bit more and get back to you. Thank you for posting here!

1 Like

@imti283 Just found the problem! The correct syntax is

- module: system
  # Syslog
  syslog:
    enabled: true
    input:
      fields:
        testfield: iisnonpro

I used system Filebeat module for testing and the custom field I got from Filebeat looks like this:

So in your case with iis module, the config should look like:

- module: iis
  # Access logs
  access:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["D:/Logs/W3SVC1/*.log"]
    exclude_line: ['^.*ELB-HealthChecker.*$']
    input:
      fields:
        log_type: iisnonpro

  # Error logs
  error:
    enabled: false

Thanks a lot @Kaiyan_Sheng . Will test quickly and come back.

Edit1: Yes it is working:-)

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.