Hi All,
Using ES 7.0, FB 7.0 using just the IIS Module for now...
I have a few questions:
-
The field iis.access.cookie; I am trying to figure out in Kibana how to search (under discovery)
for the context of the ASP.NET_SessionID; I do not seem to get accurate results as I am not sure in KQL on how to format the inquiry. -
It might be easier to search for that overall if I could isolate that information into another field. I understand this is a Grok thing. How would I modify the exisitng pipeline and add the seperation of that specific content to a new field? I hope I am saying this right.
Thanks - Chris
Example Data:
iis.access.cookie _fbp=fb.1.155913338009518.173243619;+__utmc=154350649;+__utmz=15439050649.1559133380.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(organic);+_ga=GA1.2.1801919158.1559133381;+_gat_UA-12435659-3=1;+_gcl_au=1.1.1893700599.1559133380;+_gid=GA1.2.5291068339.1559133381;+EnhancedSchematics=dpouspm;+PSHotSpots=wbsjbujpo;+PageViewCount=2;+SearchSession_LT=7f845684-4c98-1179-2c24-669ffb8e2216;+SearchSession_LT_Count=1;+acqData=%8C%33dbnqbjho%33%4B%33%39ejsfdu%3a%33%3D%33tpvsdf%33%4B%33%39ejsfdu%3a%33%3D%33nfejvn%33%4B%33%39pshbojd%3a%33%3D%33dpoufou%33%4Bovmm%3D%33ufsn%33%4Bovmm%8E;+chref=/Frigidaire-Refrigerator-Motors.htm;+not_use_hotspots=fobcmf;+ASP.NET_SessionId=iuwfs2vkxxtdgplw45nrknlw;+GABRAND=Bob
pipeline viewed in Kibana
{
"filebeat-7.0.1-iis-error-default" : {
"description" : "Pipeline for parsing IIS error logs. Requires the geoip plugin.",
"processors" : [
{
"grok" : {
"field" : "message",
"patterns" : [
"%{TIMESTAMP_ISO8601:iis.error.time} %{IPORHOST:source.address} %{NUMBER:source.port:long} %{IPORHOST:destination.address} %{IPORHOST:destination.port:long} (?:HTTP/%{NUMBER:http.version}|-) (?:%{WORD:http.request.method}|-) (?:%{URIPATHPARAM:url.original}|-)(?: -)? (?:%{NUMBER:http.response.status_code:long}|-) (?:%{NUMBER}|-) (?:%{NOTSPACE:iis.error.reason_phrase}|-) (?:%{NOTSPACE:iis.error.queue_name}|-)"
],
"ignore_missing" : true
}
},
{
"remove" : {
"field" : "message"
}
},
{
"rename" : {
"field" : "@timestamp",
"target_field" : "event.created"
}
},
{
"date" : {
"formats" : [
"yyyy-MM-dd HH:mm:ss"
],
"field" : "iis.error.time",
"target_field" : "@timestamp"
}
},
{
"remove" : {
"field" : "iis.error.time"
}
},
{
"grok" : {
"field" : "destination.address",
"patterns" : [
"%{NOZONEIP:destination.ip}"
],
"pattern_definitions" : {
"NOZONEIP" : "[^%]"
}
}
},
{
"grok" : {
"field" : "source.address",
"patterns" : [
"%{NOZONEIP:source.ip}"
],
"pattern_definitions" : {
"NOZONEIP" : "[^%]"
}
}
},
{
"geoip" : {
"field" : "source.ip",
"target_field" : "source.geo",
"ignore_failure" : true
}
}
],
"on_failure" : [
{
"set" : {
"value" : "{{ _ingest.on_failure_message }}",
"field" : "error.message"
}
}
]
}
}