IIS Logs Per Site

Elastic Stack Beats
1

Does filebeat support IIS logs per site (not server)?

For instance, filebeat is configured as such:
C:\inetpub\logs\LogFiles**.log

The LogFiles directory contains W3SVC1 and W3SVC2. Each subdirectory will have a log file with today's date, for instance: u_ex160621.log

From what the filebeat log file shows, the data appears to be valid:
W3SVC2:

2016-06-21T09:32:51-06:00 DBG Publish: {
"@timestamp": "2016-06-21T15:32:51.820Z",
"beat": {
"hostname": "SERVER1",
"name": "SERVER1"
},
"count": 1,
"fields": null,
"input_type": "log",
"message": "2016-06-21 00:08:55 W3SVC2 SERVER1 10.0.0.5 GET / - 443 - 10.0.0.1 - - 401 0 0 2293 7 2",
"offset": 10469,
"source": "C:\inetpub\logs\LogFiles\W3SVC2\u_ex160621.log",
"type": "log"
}

W3SVC4:

2016-06-21T09:32:51-06:00 DBG Publish: {
"@timestamp": "2016-06-21T15:32:51.823Z",
"beat": {
"hostname": "SERVER1",
"name": "SERVER1"
},
"count": 1,
"fields": null,
"input_type": "log",
"message": "2016-06-21 00:06:38 W3SVC4 SERVER1 10.0.0.5 GET / - 80 - 10.0.0.1 - - 404 0 64 2896 7 3",
"offset": 7809,
"source": "C:\inetpub\logs\LogFiles\W3SVC4\u_ex160621.log",
"type": "log"
}

However, all of my log timestamps in Kibana show a time of midnight, which is the first entry from the log file being read.

2

I don't know anything about IIS logs, but the paths configuration option accepts an array of paths and each of those supports Golang glob matching. So you should be able to match against C:\inetpub\logs\LogFiles\W3SVC2\u_ex160621.log without a problem.

I'm not quite sure what you mean. The sample events you posted do not show event timestamps (@timestamp) of UTC midnight. If you want the event to use the timestamp from log message (i.e. "2016-06-21 00:06:38") then you need to send the event through Logstash and use a grok and date filter. Here's an example.

3

Hi Andrew,

Thank you for the response. I believe I found the culprit:

  • Encoding

Although IIS, filebeat were both set to UTF-8 and logstash was expecting UTF-8, having the logstash input set to tcp instead of beats plugin was causing a lot of extra values (for whatever reason). Changing input for IIS from tcp to beats seems to have cleared up this issue where each log was getting the garbled timestamp of midnight each day.

4

This topic was automatically closed after 21 days. New replies are no longer allowed.