Hi there,
We're using filebeat with great succes for most of our logging but we've received a new request from within the organisation. They want to ingest the IIS logs from our Windows Server 2016 machine but even though i have enabled the IIS module under the modules.d folder, they are not actually getting picked up apparently. In the filebeat logging i can see the following log lines:
Harvester started for file: C:\inetpub\logs\LogFiles\W3SVC18\u_ex211231_x.log
This is a good sign one might think but after a while is just closes the file without actually pushing it. So i thought that it might be because the file is just old so i let Filebeat run for a couple of days but nothing from IIS is being pushed unfortunately.
Does anyone have an idea?
Thanks!
Kind regards,
Rick
hello @rckvwijk
indeed posting the logs would be helpful in order to troubleshoot the problem.
could you enable debug log level and share them?
There can be multiple reasons why the file is not ingested, without the log there's no clue to understand what's the problem
Best regards
Hi there,
Thanks for the fast response! And i understand, i've created a log file in DEBUG mode for you.
Rick
Log lines:
2021-12-31T15:56:44.079+0100 DEBUG [input] file/states.go:68 New state added for C:\inetpub\logs\LogFiles\W3SVC3\u_ex211214_x.log
I can see that the events are filtered out (ie: not published):
2021-12-31T15:56:44.220+0100 DEBUG [publisher] pipeline/client.go:231 Pipeline client receives callback 'onFilteredOut' for event
What version of Filebeat are you using?
Could you share the content of C:\inetpub\logs\LogFiles\W3SVC7\u_ex211206_x.log from offset 623?
Hi there,
We're using FIlebeat 7.12.0 and here's the log:
#Software: Microsoft Internet Information Services 10.0#Version: 1.0#Date: 2021-12-06 07:01:39#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken x-forwarded-for foo
Hi,
Do you an update for me by any chance?
Kind regards.
hello @rckvwijk
is this the entry starting from offset 623?
do you have any of the logs entries ingested or nothing at all?
Hi Andrea,
This was the whole log file, i've only removed some certain stuff about the application itself (endpoints) and that's it. But i can check if i can find a more complete log.
hi @rckvwijk
since the offset is related to the exact content of the file it's hard without being able to match the given number with the exact content
do you have any of the logs entries ingested or nothing at all?
it seems that at offset 623 there might be an empty line, and that's the reason why it's filtered out
the previous content probably have a state already and it is skipped. do you have ingested log entries?
if it's possible without messing up your current environment (are you running on a test env or a production one? in the second case I would not suggest to do) you can try to remove the content from /data/registry/ under the set up filebeat --path.home
this will reset the registry state resulting in every file to be considered as never ingested./data/registry/filebat/log.json to check if there's any entry related to the files that seems to not be ingested
Hi Andrea,
Unfortunately it's a production machine and the filebeat instance is also used to ingest application logs which are kind of unmissable if you get what i mean. But i did go through the log.json file and i can see that there no IIS logs being picked up eventhough the regular log file is saying:
This is the actual file:
#Software: Microsoft Internet Information Services 10.0#Version: 1.0#Date: 2022-01-05 00:01:02#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken x-forwarded-for foo
But i'm not seeing the file in Kibana unfortunately .. i did remove the actual URL name.
Hopefully you can help us further!
Kind regards,
Minor update, now i'm seeing this in the log.json:
@rckvwijk C:\inetpub\logs\LogFiles\W3SVC9\u_ex220105_x.log was parsed and set a status for in the registry. current offset is 1401071, next time Filebeat will scan the file it will start from there.
The problem seems to be that the log format does not match any of the supported grok pattern in the module: beats/pipeline.yml at master · elastic/beats · GitHub
You should change what you have as
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken x-forwarded-for foo
To
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken x-forwarded-for
system
February 7, 2022, 3:32pm
13
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.