GROK match multiple pattern drop the log

tharu85 · April 27, 2020, 3:49pm

I used following grok pattern to extract IIS log. The match message containing multiple grok pattern due to IIS log configuration on several server.

Unfortunately one I have execute this filter, no messages were parsers. dropping all iis log without parsing.

Once I execute this code without grok messages are displaying.

Any issue on this code ?

filter {

    if ([type] == "iis-log" or [type] == "iis_log") 
    {
	if "beats_input_codec_plain_applied" in [tags] {
		mutate {
			remove_tag => ["beats_input_codec_plain_applied"]
		}
	}
					
	grok 
	{
		match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:iis_site} %{IPORHOST:dstip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:dstport} %{NOTSPACE:username} %{IPORHOST:load_balancer_ip} %{NOTSPACE:useragent} %{NOTSPACE:request_host} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:windows_status} %{NUMBER:sent_bytes} %{NUMBER:input_bytes} %{NUMBER:time_taken} %{IPORHOST:srcip},\+%{IPORHOST:waf_ip}",
			  "message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:dstip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:dstport} %{NOTSPACE:username} %{IPORHOST:load_balancer_ip} %{NOTSPACE:useragent} %{NOTSPACE:request_host} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:windows_status} %{NUMBER:sent_bytes} %{IPORHOST:srcip},\+%{IPORHOST:waf_ip}",
			  "message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:iis_site} %{IPORHOST:dstip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:dstport} %{NOTSPACE:username} %{IPORHOST:load_balancer_ip} %{NOTSPACE:useragent} %{NOTSPACE:request_host} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:windows_status} %{NUMBER:sent_bytes} %{NUMBER:input_bytes} %{NUMBER:time_taken}",
			  "message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:dstip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:dstport} %{NOTSPACE:username} %{IPORHOST:load_balancer_ip} %{NOTSPACE:useragent} %{NOTSPACE:request_host} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:windows_status} %{NUMBER:sent_bytes}"
		]
	}
				
	mutate 
	{
		convert => [ "dstport", "integer"]
		convert => [ "response", "integer"]
		convert => [ "sent_bytes", "integer"]
		convert => [ "input_bytes", "integer"]
		convert => [ "time_taken", "integer"]
		convert => [ "subresponse", "integer"]
		convert => [ "windows_status", "integer"]	
	}
		
	mutate {
		remove_field => ["[beat][hostname]", "[beat][name]", "[beat][version]", "[beat]", "loadbalancer_ip" ]
	}

    }
}

Badger · April 27, 2020, 9:20pm

I would write that match as

match => {
    "message" => {
        "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:iis_site} %{IPORHOST:dstip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:dstport} %{NOTSPACE:username} %{IPORHOST:load_balancer_ip} %{NOTSPACE:useragent} %{NOTSPACE:request_host} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:windows_status} %{NUMBER:sent_bytes} %{NUMBER:input_bytes} %{NUMBER:time_taken} %{IPORHOST:srcip},\+%{IPORHOST:waf_ip}",
        "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:dstip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:dstport} %{NOTSPACE:username} %{IPORHOST:load_balancer_ip} %{NOTSPACE:useragent} %{NOTSPACE:request_host} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:windows_status} %{NUMBER:sent_bytes} %{IPORHOST:srcip},\+%{IPORHOST:waf_ip}", 
        "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:iis_site} %{IPORHOST:dstip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:dstport} %{NOTSPACE:username} %{IPORHOST:load_balancer_ip} %{NOTSPACE:useragent} %{NOTSPACE:request_host} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:windows_status} %{NUMBER:sent_bytes} %{NUMBER:input_bytes} %{NUMBER:time_taken}",
        "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:dstip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:dstport} %{NOTSPACE:username} %{IPORHOST:load_balancer_ip} %{NOTSPACE:useragent} %{NOTSPACE:request_host} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:windows_status} %{NUMBER:sent_bytes}"
    ]
}

Also, I would strongly recommend you anchor your patterns to start of line ("^%{TIMESTAMP_ISO8601:log_timestamp} ...") for reasons explained here.

system · May 25, 2020, 9:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grokparsefailure IIS Logs Logstash	5	492	January 17, 2019
_grokparsefailure for IIS logs Logstash	10	2878	July 6, 2017
How to put two groks for IIS Logs? Logstash	5	358	December 21, 2020
Grok filter working, not extracting fields Logstash	3	1086	July 6, 2017
Can't get IIS Log row to match Grok-pattern Logstash	5	409	February 19, 2020

GROK match multiple pattern drop the log

Related topics