Date Filter Not working parsing IIS logs

I'm having trouble with the date filter. it doesn't seem to be updating the timestamp correctly.

filter {
  if [type] == "iis" {
    grok {
      match => {"message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:serviceName} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:cookie} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken}"}
    }
    date {
        match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss", "ISO8601" ]
        target => "@timestamp"
        remove_field => ["log_timestamp"]
    }
    mutate {
        convert => ["bytesSent", "integer"]
        convert => ["bytesReceived", "integer"]
        convert => ["timetaken", "integer"]
    }
    useragent {
        source=> "userAgent"
        prefix=> "browser."
        regexes=> "/etc/logstash/regexes.yaml"
    }

  }
}

This is the debug log. i have changed some details.

{
      "log_timestamp" => "2017-04-20 14:04:04",
            "referer" => "-",
      "win32response" => "0",
    "browser.os_name" => "Windows",
             "source" => "ex170420.log",
               "type" => "iis",
        "requestHost" => "hostname",
       "browser.name" => "Other",
          "timetaken" => 15,
         "browser.os" => "Windows",
           "clientIP" => "0.0.0.0",
           "@version" => "1",
               "beat" => {
        "hostname" => "HOST",
            "name" => "HOST",
         "version" => "5.3.0"
    },
               "host" => "HOST",
           "serverIP" => "0.0.0.0",
    "protocolVersion" => "HTTP/1.1",
             "offset" => 527048,
             "method" => "POST",
             "cookie" => "...",
            "uriStem" => "/",
         "input_type" => "log",
          "userAgent" => "Mozilla/4.0+...",
          "bytesSent" => 892,
            "message" => "2017-04-20 14:04:04 ...",
        "serviceName" => "W3SVC1",
               "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_dateparsefailure"
    ],
      "bytesReceived" => 908,
         "@timestamp" => 2017-04-20T14:05:08.919Z,
           "uriQuery" => "-",
               "port" => "80",
           "response" => "200",
        "subresponse" => "0",
             "fields" => {
        "log_type" => "W3SVC1"
    },
           "username" => "-",
     "browser.device" => "Other"
}

The Logstash log will contain details about what the date filter doesn't like with the string you want it to parse. Here I'm guessing you should use "YYYY-MM-dd HH:mm:ss" rather than "ISO8601".

i was using that earlier and it didn't work either.
i could configure it withthe below?
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss", "ISO8601" ]

Yes, the date filter supports multiple patterns.

ok, i have updated the config in the question. now it is not parsing messages tagged with IIS.

As I said: The Logstash log will contain details about what the date filter doesn't like with the string you want it to parse.

thanks that seems to have fixed it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.