Filebeats IIS Grok

We ran into an issue where we were using filebeats iis module to inject iis logs from a directory. We found that the grok parsers were not properly parsing the logs sent to elasticsearch. We used the grok UI in kibana to test and successfully normalize the data to what we needed it; however when updating the default.json file and restarting the agent, the logs were still coming in as unknown. Would anyone happen to know how or what is done to force the filebeats iis module to take these patterns? I made sure that the grok pattern that worked waas at the top of the grok patterns in the default.json file.

Could you share your filebeat / iis module configurations?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.