IIS module under filebeat not populating fields in discover

Priya_Vardhan · December 14, 2022, 9:21pm

Hi All,

I have enabled IIS module under filebeat after providing the log path for both access and error.

I can see the IIS fields getting loaded in filebeat index, but it is not showing in discover.

The data is not available for IIS.

Any help would be appreciated?

aaron-nimocks · December 14, 2022, 10:01pm

It sounds like you are having trouble viewing your IIS logs in the Discover page of the Elastic Stack. There are a few potential reasons for this:

The Filebeat index pattern may not be set up correctly in Elasticsearch. In order for the data to be searchable in Discover, you will need to create an index pattern that matches the name of the index that Filebeat is writing to. You can do this by going to the Management tab in Kibana, then selecting Index Patterns and creating a new pattern.
If the index pattern is set up correctly, the issue may be with the configuration of Filebeat. Make sure that the fields section of the Filebeat configuration file includes the IIS fields that you want to be available in Discover. Additionally, check that the fields_under_root and fields.yml files are set up correctly, as these can affect how fields are indexed in Elasticsearch.
It is also possible that there is a problem with the data being ingested by Filebeat. If the IIS logs are not being parsed correctly, the relevant fields may not be available in Elasticsearch. You can check the Filebeat logs to see if there are any error messages that can help identify the cause of the issue.

stephenb · December 14, 2022, 10:08pm

Or need to expand the time picker

Hi @Priya_Vardhan Welcome to the community!

Priya_Vardhan · December 14, 2022, 10:33pm

Hi @aaron-nimocks and @stephenb ,

Thanks for the info.

Index pattern is setup correctly, as it is loading the data for other fields other than IIS
Fields.yml looks fine
Filebeat logs are producing some errors like below

Type : mapper parsing exception, reason : failed to parse field [network forwarded ip] of type [ip] in document with I'd "".
Reason: 350 is not an ip string literal

There is another error in kibana like " Provided Grok expressions do not match field value"

aaron-nimocks · December 14, 2022, 10:41pm

What was the value of the field in the error? If it's not a valid IP address then that's what would cause this issue.

Priya_Vardhan · December 14, 2022, 10:49pm

@aaron-nimocks - It is as below
Provided Grok expressions do not match field value: [ 2021-08-12 19:09:09 10.xx.xxx.xx 34169 10.xx.xxx.xxx 81 - %00 %00 400 - Bad request - ]

How to fix this issue if it is due to IP?

aaron-nimocks · December 14, 2022, 10:59pm

Ohh. Looks like you have a grok or dissect issue somewhere. Did you run the setup from filebeats that pushed templates and such to Kibana? Specifically I am wondering if the ingest pipelines are loaded.

Priya_Vardhan · December 14, 2022, 11:22pm

yes, I ran the setup and ingest pipelines are loaded in Kibana.
Do we need to configure ingest pipeline in filebeat config files?

system · January 12, 2023, 1:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.