Grok filter working, not extracting fields


(Laurentiu Popescu) #1

Hi,
I have an issue - I am trying to parse IIS logs but I am not getting any fields extracted. (I tested the filter against an log line in GROK Debugger and it seems fine).
The logs look like this:
2015-11-06 08:46:00 10.159.100.38 GET /portal2/api/internals/header culture= 80 - 54.72.165.221 - - 200 0 0 15
2015-11-06 08:46:00 10.159.100.38 GET /idsrv/api/services/header culture= 80 - 54.72.165.221 - - 200 0 0 93
The filter looks like this:
filter {
if [message] =~ "^#" {
drop {}
}
if [type] == "iis" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:hostip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:query} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientip} %{NOTSPACE:useragent} %{NOTSPACE:referrer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:timetaken}\r"}
}
}
}

The output from the logstash.stdout is this:
{
"message" => "2015-11-06 09:14:13 10.159.100.38 GET /Portal2/Home/SearchByKeyData query=00370716486988244946 80 DSG 80.254.154.59 Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/537.31+(KHTML,+like+Gecko)+Chrome/26.0.1410.64+Safari/537.31 http://www.site.com/Portal2/Home 200 0 0 4773\r",
"@version" => "1",
"@timestamp" => "2015-11-06T09:14:12.382Z",
"host" => "10.159.100.38",
"type" => "IIS"
}

Am I doing something wrong? Why don't I see any fields extracted?

Also - Logstash is the latest version, 2.0.0 and I am using nxlog to send the logs.

(Log lines are different (in example and in stdout), the behavior is the same).


(Magnus B├Ąck) #2

String comparisons are case-sensitive. Your type field contains "IIS" but the conditional in your configuration file checks for equality against "iis".


(Laurentiu Popescu) #3

And it works like a charm.
Thanks for the help (I feel stupid!)!


(system) #4