IIS W3C format logs not being mapped by filebeat iis module

fadil030889 · July 19, 2019, 7:24am

Hi,

So we have filebeat on prem, sending iis logs onto an elastic cloud stack, with the iis modules enabled, we are having this error: " Provided Grok expressions do not match field value ". I've checked the raw iis logs and the fields seems to be off compared to the default.json grok pattern for the iis module. Is there any specific format that the iis logs should be saved or any other way to parse the logs into the message field and split that into further different fields.

The iis W3C logs have the following fields to them:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) sc-status sc-substatus sc-win32-

so any suggestions?

Thanks

jsoriano · July 26, 2019, 4:08pm

Hi @fadil030889,

In principle filebeat modules are intended to support default log formats of services. For each module we have a set of log examples so we can automatically test that they are supported. You can find the test files for IIS here.

If you have some logs in the default format of IIS and they are not being parsed, could you paste here some of them so we can try and add them to our test suite?

system · August 23, 2019, 4:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat IIS Access logs not parsing but Error logs are Beats filebeat	4	323	July 15, 2020
[IIS 7.5] [Filebeat 6.6.1] Provided Grok expressions do not match field value Beats filebeat	11	3133	April 29, 2019
Filebeat Grok Error - IIS Beats filebeat	4	1543	September 12, 2019
SMTP logs from Windows Server can't be parsed Logs	4	1739	May 25, 2020
Filebeats IIS Grok Beats filebeat	2	474	July 29, 2019

IIS W3C format logs not being mapped by filebeat iis module

Related Topics