Grokparsefailure IIS Logs

nu11ahnung · December 18, 2018, 11:23am

I want to filter IIS Logs. I chose the default logging options + bytes sent.
I configured my grok filter like this

filter {
  if "iis" in [tags] {
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:iisSite} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{N$
  }
}
}

This is an example message field.

2017-02-25 18:23:47 192.168.1.8 POST /ApiRemoting30/WebService.asmx - 8530 WSUS01\Administrator 192.168.1.8 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 200 0 0 170

I get a grokparsefailure for all my logs

Christian_Dahlqvist · December 18, 2018, 11:29am

It looks to me like there is nothing matching the iisSite field as the timestamp is directly followed by an IP. The ending of the expression also seems off.

nu11ahnung · December 18, 2018, 11:44am

Thank you for your quick reply. I deleted the iisSite field from my config and it still doesn't work
This is one of my mst recent messages
2018-12-18 11:41:31 192.168.1.8 HEAD 1812185441 8530 - 192.168.3.15 Windows-Update-Agent - 200 0 0 273 209

Christian_Dahlqvist · December 18, 2018, 11:49am

I would recommend building the pattern step-by-step as described in this blog post. That is generally the recommended way to create and/or debug grok expressions.

nu11ahnung · December 20, 2018, 9:52am

If someone wants to do the same this is my Filter for 8.5 IIs Logs for a wsus server (windows server 2012 r)

>  filter {
>   if "iis" in [tags] {
>   grok {
>     match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:s-ip} %{WORD:method} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NOTSPACE:referer} %{NUMBER:scstatus} %{NUMBER:scsubstatus} %{NUMBER:sc-win32-status} %{NUMBER:sc-bytes} %{NUMBER:timetaken:int}" }
> 
>   }
>  
>     if [scstatus] == "200" {
> 	 mutate {
>         replace => {"message" => "Success"}
>         }
> 		}
>     if [scstatus] == "206" {
> 		mutate {
>         replace => {"message" => "Continuation: OK"}
>         }
> 		}
>     if [scstatus] == "401" {
>         mutate {
> 		replace => {"message" => "Authorization: OK if followed by 200"}
>         }
> 		}
>     if [scstatus] == "403" {
> 		mutate {
>         replace => {"message" => "Access failure: Certificate issues or incorrect IIS configuration."}
>         }
> 		}
>     if [scstatus] == "404" {
>         mutate {
> 		replace => {"message" => "Not found: Missing Virtual directory or IIS configuration"}
>         }
> 		}
>     if [scstatus] == "500" {
>         mutate {
> 		replace => {"message" => "Service not available"}
>         }
> 		}
>     if [scstatus] == "503" {
>         mutate {
> 		replace => {"message" => "Busy: This can be caused by a WSUS application pool memory issue or just too many client connections. To fix the issue, increase the WSUS Application Pool Private memory limit to 4–8 GB. Some environments may require more than 8 GB; adjust this setting as needed."}
>         }
> 		}
>   }
> }

system · January 17, 2019, 9:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_grokparsefailure for IIS logs Logstash	10	2878	July 6, 2017
Help in grok filter Logstash	2	286	January 24, 2019
How filebeat collect iis log through grok filter? tags:_grokparsefailure Logstash	5	4384	July 6, 2017
_grokparsefailure still happening for a small number of IIS log entries - how to track them down? Logstash	7	1211	July 6, 2017
Parsing iis log Logstash	4	2215	June 27, 2018

Grokparsefailure IIS Logs

Related topics