Hello all,
I have a simple question, but i cannot find an answer that satisfies me.
I am sending IIS 7.5 logs to logstash, but we have a monitoring tool that is doing a healthcheck every minute.
The message line is like this :
2019-03-22 09:32:21 W3SVC2 DEV-SERVER-001 10.0.143.17 GET /health-monitoring - 80 - 10.0.143.12 HTTP/1.1 - - - www.dev-site.com 200 0 0 274 81 15
so it gives :
And I don't want the lines containing the word "health" to be sent, because they are pointless to me, and polluting my views and my index.
I tried on filebeat side to add this :
exclude_lines: ['.*health.*']
in the iis.yml file, but still they are sent.
Oh, and this is my logstash config file :
input {
beats {
port => 5044
#type => "iis"
}
}
filter {
dissect {
mapping => {
message => '%{log_timestamp} %{+log_timestamp} %{s-sitename} %{s-computername} %{s-ip} %{cs-method} %{cs-uri-stem} %{cs-uri-query} %{s-port} %{cs-username} %{c-ip} %{cs-version} %{cs-user-agent} %{cs-cookie} %{cs-referer} %{cs-host} %{sc-status} %{sc-substatus} %{sc-win32-status} %{sc-bytes} %{cs-bytes} %{time-taken}'
}
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-iis-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
stdout { codec => rubydebug }
}
Thank you for your help.