Using filebeat to send IIS logs from Windows System and to my logstash server and then to elastic search and Kibana.
Elastic search and Kibana - 5.3.2 Logstash and filebeat - 5.3.2
filebeat.yml :
#=========================== Filebeat prospectors
- input_type: log
# Paths that should be crawled and fetched. Glob based paths.
paths:
# Add the path to IIS Logs
- d:\Inetpub\logs\logfiles\*\*
document_type: iis
#-------------------------- Elasticsearch output -------------
# Comment out
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
#----------------------------- Logstash output ---------------
# Uncomment and set Logstash IP
output.logstash:
# The Logstash hosts
hosts: ["nemesis.hstv.local:5044"]
# Optional index name. The default index name is set to name of the beat
# in all lowercase.
index: 'filebeat_iis'
iis-filter.conf:
filter {
if [type] == "iis" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:S-SiteName} %{NOTSPACE:S-ComputerName} %{IPORHOST:S-IP} %{WORD:CS-Method} %{URIPATH:CS-URI-Stem} (?:-|\"%{URIPATH:CS-URI-Query}\") %{NUMBER:S-Port} %{NOTSPACE:CS-Username} %{IPORHOST:C-IP} %{NOTSPACE:CS-Version} %{NOTSPACE:CS-UserAgent} %{NOTSPACE:CS-Cookie} %{NOTSPACE:CS-Referer} %{NOTSPACE:CS-Host} %{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:SC-Bytes} %{NUMBER:CS-Bytes} %{NUMBER:Time-Taken}"}
}
}
}
When I view the filebeat_iis in Kibana - Discover, every entry has 2 tags:
beats_input_codec_plain_applied
_geoip_lookup_failure
Why do I get the _geoip_lookup_failure when I haven't specified it?
It is used i a diiferent .conf file for WinLogBeat.