How to use IIS Module with Logstash?


#1

I would like to parse my IIS logs into more fields. Both the URL as well as the query string contains data I would like to extract and store in a field.

It seems like sending the logs to Logstash rather than directly to ElasticSearch is the way to go. But when I changed the filebeat.yml to point at Logstash, I lost the GEO-IP data. Additionally the timestamp is incorrect.

In Logstash, I haven't setup any filters yet. I just push the messages to ElasticSearch.

elasticsearch {
      hosts => "localhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    }

(Noémi Ványi) #2

May I ask why do you need an LS instance between Filebeat and Elasticsearch?
You can see more about using Filebeat modules with Logstash here: https://www.elastic.co/guide/en/logstash/6.5/filebeat-modules.html
Let me know if you need more help.


#3

Thanks, Noémi, that was fast!

There are two reasons for using Logstash, but I can easily be persuaded to go back to my old configuration. I would prefer to skip Logstash since that would be less processing on the ELK server.

  1. I couldn't figure out how to setup the grok in default.json. It seems like this is where I should set things up to parse out the extra field(s) I want. There is a customerId in the query string I want extracted to its own field.
  2. I would like to enable other teams at our organization to update the ETL stuff. A Logstash pipeline is one location. Otherwise each server would need to be updated, which is not a big deal.

#4

I have been unable to get the filter to selectively work. I assume its not making a match to trigger the filter. This didn't seem to have any affect at all, data still hits elasticsearch the same as before the filter.

For troubleshooting, I briefly set filebeats to output to file:

{"@timestamp":"2018-11-27T16:52:16.940Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.4.2","pipeline":"filebeat-6.4.2-iis-access-default"},"source":"E:\\W3SVC2\\u_ex181127.log","offset":25923712,"prospector":{"type":"log"},"fields":{"env":"staging"},"beat":{"name":"STAGE","hostname":"STAGE","version":"6.4.2"},"message":"2018-11-27 16:51:13 172.17.200.155 GET /myapi/api/orders/123 OrderStatus=N 443 - 216.87.73.52 Mozilla/4.0+(compatible;+Synapse) - 200 0 0 171","tags":["ecomm"],"input":{"type":"log"},"fileset":{"name":"access","module":"iis"},"host":{"name":"STAGE"}}

Note in example below the deployment beat is from another beats instance and is getting properly redirected to its own index.

# This file is where you define your pipelines. You can define multiple.
# For more information on multiple pipelines, see the documentation:
#   https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html

#- pipeline.id: main
#  path.config: "/etc/logstash/conf.d/*.conf"
input {
  beats {
    port => 5044
  }
}

# The filter part of this file is commented out to indicate that it
# is optional.
filter {
  if [fileset.module] =~ "iis" {
     grok {
      match => {
       "message" => [
        "%{TIMESTAMP_ISO8601:[iis][access][time]} %{IPORHOST:[iis][access][server_ip]} %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} %{NOTSPACE:[iis][access][agent]} %{NOTSPACE:[iis][access][referrer]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][request_time_ms]}",
        "%{TIMESTAMP_ISO8601:[iis][access][time]} %{IPORHOST:[iis][access][server_ip]} %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} %{NOTSPACE:[iis][access][agent]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][request_time_ms]}",
        "%{TIMESTAMP_ISO8601:[iis][access][time]} %{NOTSPACE:[iis][access][site_name]} %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} %{NOTSPACE:[iis][access][agent]} %{NOTSPACE:[iis][access][cookie]} %{NOTSPACE:[iis][access][referrer]} %{NOTSPACE:[iis][access][hostname]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][body_sent][bytes]} %{NUMBER:[iis][access][body_received][bytes]} %{NUMBER:[iis][access][request_time_ms]}",
        "%{TIMESTAMP_ISO8601:[iis][access][time]} %{NOTSPACE:[iis][access][site_name]} %{NOTSPACE:[iis][access][server_name]} %{IPORHOST:[iis][access][server_ip]} %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} HTTP/%{NUMBER:[iis][access][http_version]} %{NOTSPACE:[iis][access][agent]} %{NOTSPACE:[iis][access][cookie]} %{NOTSPACE:[iis][access][referrer]} %{NOTSPACE:[iis][access][hostname]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][body_sent][bytes]} %{NUMBER:[iis][access][body_received][bytes]} %{NUMBER:[iis][access][request_time_ms]}"
       ]
      }
     }

     mutate {
      rename => {
       "@timestamp" => "read_timestamp"
      }
     }
     date {
      match => [
       "[iis][access][time]",
       "yyyy-MM-dd HH:mm:ss"
      ]
      target => "@timestamp"
     }
     geoip {
      source => "[iis][access][remote_ip]"
      target => "[iis][access][geoip]"
     }
  }
}


output {
  if [source_name] == "Deployment" {
    elasticsearch {
      hosts => "localhost:9200"
      manage_template => false
      index => "deployment-beat-%{[@metadata][version]}-%{+yyyy.MM.dd}"
    }
  } else {
    elasticsearch {
      hosts => "localhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    }
  }
}


(Philip Nunn) #5

Once the doc is created in Elasticsearch, do you see any tags like "grokparsefailure" or the like on the doc?


(Noémi Ványi) #6

Could you please share your Filebeat configuration formatted using </>?


#7

Here is my filebeats config. Nothing fancy in there. Removed some comments to fit char limit.

###################### Filebeat Configuration Example #########################

#=========================== Filebeat inputs =============================

#filebeat.inputs:

#- type: log

  # Change to true to enable this input configuration.
  #enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  #paths:
    #- /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*
    #- e:\W3SVC1\*.log
      #document_type: iis

 
  #exclude_lines: ['^DBG']


  #include_lines: ['^ERR', '^WARN']

  
  #exclude_files: ['.gz$']

 
  #fields:
  #  level: debug
  #  review: 1

  ### Multiline options

  # Multiline can be used for log messages spanning multiple lines. This is common
  # for Java Stack Traces or C-Line Continuation

  # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
  #multiline.pattern: ^\[

  # Defines if the pattern set under pattern should be negated or not. Default is false.
  #multiline.negate: false

  # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
  # that was (not) matched before or after or as long as a pattern is not matched based on negate.
  # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
  #multiline.match: after


#============================= Filebeat modules ===============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

#==================== Elasticsearch template setting ==========================

setup.template.settings:
  index.number_of_shards: 3
  #index.codec: best_compression
  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
tags: ["ecomm"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "myserver.net:5601"

#============================= Elastic Cloud ==================================

# These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["myserver.net:9200"]

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["myserver.net:5044"]
  
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

  
#------------------------ File output for debugging -------------------
#output.file:
# Boolean flag to enable or disable the output module.
  #enabled: true

# Path to the directory where to save the generated files. The option is
# mandatory.
  #path: "e:\\DevOpsLogs"

# Name of the generated files. The default is `filebeat` and it generates
# files: `filebeat`, `filebeat.1`, `filebeat.2`, etc.
  #filename: filebeat_iis

# Maximum size in kilobytes of each file. When this size is reached, and on
# every filebeat restart, the files are rotated. The default value is 10240
# kB.
#rotate_every_kb: 10000

# Maximum number of files under path. When this number of files is reached,
# the oldest file is deleted and the rest are shifted from last to first. The
# default is 7 files.
  #number_of_files: 7 
  
#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

#============================== Xpack Monitoring ==============================
# filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:

#8

No, I didn't see any grok errors. And I am pretty certain the ingest of geoip is working. When I check syslog, I see warnings about being unable to locate local ip addresses, which of course makes sense.