I have inherited a partially constructed ELK environment. Previous to my efforts, IIS logs have not entered the system. Looking at previous source control checkins, the Dev before me was running everything locally on the ELK server (configs all say localhost).
Server is Ubuntu
Client is Windows running IIS 7.
Logging is set to W3C, here is a sample with ip changed a bit:
2018-10-14 17:22:52 172.17.200.154 GET /Default.aspx ReturnUrl=%2f 443 - 220.127.116.11 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/69.0.3497.100+Safari/537.36 200 0 0 2620
I followed the IIS Module instructions:
Installed the Ingest GEOIP and User Agent.
On the windows IIS box, I installed filebeat first and got that shipping logs, I then installed the IIS module in powershell. I also ran filebeat setup which created numerous dashboards. The dashboards have no data which isn't surprising due to lack of parsing data. In filebeats.yml I commented out logstash and only have elasticsearch and kibana connections.
The filebeats log shows my iis logs being harvested. I can see these in Kabana, but there is a grok error message: "Provided Grok expressions do not match field value:" followed by the row in iis log.
After starting filebeats with the IIS module loaded, I noticed there are duplicate indexes available in Kibana. Both are named "filebeat-*" I had thought it should add a date stamp, but eventually I would want to change that name to something more descriptive.
My theory is that its busted since its going into the same/similar indexes? I am looking at sending the logs to a new index and saw some documentation about that, but I got confused by the templates, I thought filebeats setup would do that for me.