I've installed the stack on a Windows machine to be able to index and visualize IIS logs. Our logs have a custom field from the header and additional fields not in the standard W3C IIS log format. I'm trying to map the fields to get Logstash to ingest them, but I'm getting an error saying to "check that fields match your IIS log settings". I'm expecting that my input file type of "iis_log_1" is incorrect for this application since the fields do not match the standard format. What I haven't been able to find is what file type I should be using to get this to work. This is my current conf file:
# Sample Logstash configuration for creating a simple
input {
file {
type => "iis_log_1"
path => "E:\PROD_IIS_LOGS\bothHosts\202004\8.2-refid1-iislogs-04/u_ex200423_x.log"
start_position => "beginning"
}
}
filter {
if [type] == "iis_log_1" {
#ignore log comments
if [message] =~ "^#" {
drop {}
}
grok {
# check that fields match your IIS log settings
match => [%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:computername} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:c-ip} %{NOTSPACE:useragent} %{NOTSPACE:referrer} %{IPORHOST:clienthost} %{NUMBER:scstatus} %{NUMBER:scsubstatus} %{NUMBER:winstatus} %{NUMBER:bytessent} %{NUMBER:bytesreceived} %{NUMBER:time_taken} %{IPORHOST:x-forwarded-for}]
}
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UTC"
}
useragent {
source=> "useragent"
prefix=> "browser"
}
mutate {
remove_field => [ "log_timestamp"]
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "indexforlogstash-%{+YYYY.MM.dd}"
}
}