Date Filter Not working parsing IIS logs

Peter_Dwyer · April 20, 2017, 2:18pm

I'm having trouble with the date filter. it doesn't seem to be updating the timestamp correctly.

filter {
  if [type] == "iis" {
    grok {
      match => {"message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:serviceName} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:cookie} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken}"}
    }
    date {
        match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss", "ISO8601" ]
        target => "@timestamp"
        remove_field => ["log_timestamp"]
    }
    mutate {
        convert => ["bytesSent", "integer"]
        convert => ["bytesReceived", "integer"]
        convert => ["timetaken", "integer"]
    }
    useragent {
        source=> "userAgent"
        prefix=> "browser."
        regexes=> "/etc/logstash/regexes.yaml"
    }

  }
}

This is the debug log. i have changed some details.

{
      "log_timestamp" => "2017-04-20 14:04:04",
            "referer" => "-",
      "win32response" => "0",
    "browser.os_name" => "Windows",
             "source" => "ex170420.log",
               "type" => "iis",
        "requestHost" => "hostname",
       "browser.name" => "Other",
          "timetaken" => 15,
         "browser.os" => "Windows",
           "clientIP" => "0.0.0.0",
           "@version" => "1",
               "beat" => {
        "hostname" => "HOST",
            "name" => "HOST",
         "version" => "5.3.0"
    },
               "host" => "HOST",
           "serverIP" => "0.0.0.0",
    "protocolVersion" => "HTTP/1.1",
             "offset" => 527048,
             "method" => "POST",
             "cookie" => "...",
            "uriStem" => "/",
         "input_type" => "log",
          "userAgent" => "Mozilla/4.0+...",
          "bytesSent" => 892,
            "message" => "2017-04-20 14:04:04 ...",
        "serviceName" => "W3SVC1",
               "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_dateparsefailure"
    ],
      "bytesReceived" => 908,
         "@timestamp" => 2017-04-20T14:05:08.919Z,
           "uriQuery" => "-",
               "port" => "80",
           "response" => "200",
        "subresponse" => "0",
             "fields" => {
        "log_type" => "W3SVC1"
    },
           "username" => "-",
     "browser.device" => "Other"
}

magnusbaeck · April 20, 2017, 2:21pm

The Logstash log will contain details about what the date filter doesn't like with the string you want it to parse. Here I'm guessing you should use "YYYY-MM-dd HH:mm:ss" rather than "ISO8601".

Peter_Dwyer · April 20, 2017, 2:23pm

i was using that earlier and it didn't work either.
i could configure it withthe below?
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss", "ISO8601" ]

magnusbaeck · April 20, 2017, 2:24pm

Yes, the date filter supports multiple patterns.

Peter_Dwyer · April 20, 2017, 2:32pm

ok, i have updated the config in the question. now it is not parsing messages tagged with IIS.

magnusbaeck · April 20, 2017, 2:34pm

As I said: The Logstash log will contain details about what the date filter doesn't like with the string you want it to parse.

Peter_Dwyer · April 20, 2017, 3:19pm

thanks that seems to have fixed it.

system · May 18, 2017, 3:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.