How to set different filters for different logs in beats and logstash 6.3.2

Anil_Bind · September 7, 2018, 6:18am

Hi,

First of all, I am using version 6.3.2 for all the beats and elk stack.
I have elk setup on centOS 7 and the node is windows server 2012 r2, I was able to filter IIS logs by using below filter.

filter {

if [@metadata][beat] == "filebeat" {
{
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:S-SiteName} %{NOTSPACE:S-ComputerName} %{IPORHOST:S-IP} %{WORD:CS-Method} %{URIPATH:CS-URI-Stem} (?:-|"%{URIPATH:CS-URI-Query}") %{NUMBER:S-Port} %{NOTSPACE:CS-Username} %{IPORHOST:C-IP} %{NOTSPACE:CS-Version} %{NOTSPACE:CS-UserAgent} %{NOTSPACE:CS-Cookie} %{NOTSPACE:CS-Referer} %{NOTSPACE:CS-Host} %{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:SC-Bytes} %{NUMBER:CS-Bytes} %{NUMBER:Time-Taken}"}
}
}
}
}

The issue is I have a path having custom logs, I have grok pattern also for it, but IDK how to add that filter with the above existing filter
In the filebeat.yml I have added the path of the log but it uses the pattern of the iss.
ANY HELP!

PS. I have not used iis module because it does not works with iis 8.5.

kvch · September 7, 2018, 8:16am

To parse your custom logs you need to add a new grok filter after the existing one.

if [@metadata][beat] == "filebeat" {
    grok {
        match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:S-SiteName} {NOTSPACE:S-ComputerName} %{IPORHOST:S-IP} %{WORD:CS-Method} %{URIPATH:CS-URI-Stem} (?:-|"%{URIPATH:CS-URI-Query}") %{NUMBER:S-Port} %{NOTSPACE:CS-Username} %{IPORHOST:C-IP} %{NOTSPACE:CS-Version} %{NOTSPACE:CS-UserAgent} %{NOTSPACE:CS-Cookie} %{NOTSPACE:CS-Referer} %{NOTSPACE:CS-Host} %{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:SC-Bytes} %{NUMBER:CS-Bytes} %{NUMBER:Time-Taken}"}
    }
    grok {
       match => { "message" => "{{ your-custom-pattern }}"}
    }
}

Alternatively, you could extend the existing pipeline of IIS module of Filebeat. You need to edit module/iis/access/ingest/default.json or module/iis/error/ingest/default.json depending on which fileset you need. A new pattern can be added to the list of processors/grok/patterns, so Ingest node can match your logs. But this requires you to forward events to Elasticsearch.

Feel free to open a pull request on Github with the pattern. It would be appreciated if you contributed it for IIS 8.5.

Anil_Bind · September 7, 2018, 8:46am

Thanks for ur help, will contribute in GitHub too.

system · October 5, 2018, 8:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Where do I place Grok Filter for IIS on logstash Beats filebeat	2	1041	May 12, 2018
Filter does not seem to supply logs for kibana Logstash	5	619	March 29, 2018
Remote IIS logs into ELK Stack? Beats filebeat	5	5533	July 5, 2017
Using beats input Logstash	3	390	January 31, 2017
Please help. I'm not getting how to input IIS logs Logstash	10	5155	July 6, 2017

How to set different filters for different logs in beats and logstash 6.3.2

Related topics