I'm having trouble with the date filter. it doesn't seem to be updating the timestamp correctly.
filter {
if [type] == "iis" {
grok {
match => {"message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:serviceName} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:cookie} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken}"}
}
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss", "ISO8601" ]
target => "@timestamp"
remove_field => ["log_timestamp"]
}
mutate {
convert => ["bytesSent", "integer"]
convert => ["bytesReceived", "integer"]
convert => ["timetaken", "integer"]
}
useragent {
source=> "userAgent"
prefix=> "browser."
regexes=> "/etc/logstash/regexes.yaml"
}
}
}
This is the debug log. i have changed some details.
{
"log_timestamp" => "2017-04-20 14:04:04",
"referer" => "-",
"win32response" => "0",
"browser.os_name" => "Windows",
"source" => "ex170420.log",
"type" => "iis",
"requestHost" => "hostname",
"browser.name" => "Other",
"timetaken" => 15,
"browser.os" => "Windows",
"clientIP" => "0.0.0.0",
"@version" => "1",
"beat" => {
"hostname" => "HOST",
"name" => "HOST",
"version" => "5.3.0"
},
"host" => "HOST",
"serverIP" => "0.0.0.0",
"protocolVersion" => "HTTP/1.1",
"offset" => 527048,
"method" => "POST",
"cookie" => "...",
"uriStem" => "/",
"input_type" => "log",
"userAgent" => "Mozilla/4.0+...",
"bytesSent" => 892,
"message" => "2017-04-20 14:04:04 ...",
"serviceName" => "W3SVC1",
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_dateparsefailure"
],
"bytesReceived" => 908,
"@timestamp" => 2017-04-20T14:05:08.919Z,
"uriQuery" => "-",
"port" => "80",
"response" => "200",
"subresponse" => "0",
"fields" => {
"log_type" => "W3SVC1"
},
"username" => "-",
"browser.device" => "Other"
}