Grokparsefailure IIS Logs

I want to filter IIS Logs. I chose the default logging options + bytes sent.
I configured my grok filter like this

filter {
  if "iis" in [tags] {
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:iisSite} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{N$
  }
}
}

This is an example message field.

2017-02-25 18:23:47 192.168.1.8 POST /ApiRemoting30/WebService.asmx - 8530 WSUS01\Administrator 192.168.1.8 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 200 0 0 170

I get a grokparsefailure for all my logs

It looks to me like there is nothing matching the iisSite field as the timestamp is directly followed by an IP. The ending of the expression also seems off.

Thank you for your quick reply. I deleted the iisSite field from my config and it still doesn't work
This is one of my mst recent messages
2018-12-18 11:41:31 192.168.1.8 HEAD 1812185441 8530 - 192.168.3.15 Windows-Update-Agent - 200 0 0 273 209

I would recommend building the pattern step-by-step as described in this blog post. That is generally the recommended way to create and/or debug grok expressions.

If someone wants to do the same this is my Filter for 8.5 IIs Logs for a wsus server (windows server 2012 r)

>  filter {
>   if "iis" in [tags] {
>   grok {
>     match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:s-ip} %{WORD:method} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NOTSPACE:referer} %{NUMBER:scstatus} %{NUMBER:scsubstatus} %{NUMBER:sc-win32-status} %{NUMBER:sc-bytes} %{NUMBER:timetaken:int}" }
> 
>   }
>  
>     if [scstatus] == "200" {
> 	 mutate {
>         replace => {"message" => "Success"}
>         }
> 		}
>     if [scstatus] == "206" {
> 		mutate {
>         replace => {"message" => "Continuation: OK"}
>         }
> 		}
>     if [scstatus] == "401" {
>         mutate {
> 		replace => {"message" => "Authorization: OK if followed by 200"}
>         }
> 		}
>     if [scstatus] == "403" {
> 		mutate {
>         replace => {"message" => "Access failure: Certificate issues or incorrect IIS configuration."}
>         }
> 		}
>     if [scstatus] == "404" {
>         mutate {
> 		replace => {"message" => "Not found: Missing Virtual directory or IIS configuration"}
>         }
> 		}
>     if [scstatus] == "500" {
>         mutate {
> 		replace => {"message" => "Service not available"}
>         }
> 		}
>     if [scstatus] == "503" {
>         mutate {
> 		replace => {"message" => "Busy: This can be caused by a WSUS application pool memory issue or just too many client connections. To fix the issue, increase the WSUS Application Pool Private memory limit to 4–8 GB. Some environments may require more than 8 GB; adjust this setting as needed."}
>         }
> 		}
>   }
> }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.