Help in grok filter

Mustapha_MJ · December 27, 2018, 10:38am

Hello

please help me find the suitable grok filter for IIS server
the logs are logged as the following format :
2017-03-07 09:01:05 ::1 GET /Immatriculation/ImmatriculationPM/ImmatriculationPM - 5968 - ::1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/56.0.2924.87+Safari/537.36 - 302 0 0 7077

and the Fields are :

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

thanks

Mustapha_MJ · December 27, 2018, 1:31pm

ok, i solved the problem

the grok filter is :

filter {
grok {
match => {"message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:http_method} %{URIPATH:page} %{NOTSPACE:query_string} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:client_host} %{NOTSPACE:useragent} %{NOTSPACE:Referer} %{NUMBER:http_response} %{NUMBER:sub_response} %{NUMBER:sc_status} %{NUMBER:time_taken}"}
}
}

system · January 24, 2019, 1:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.