IIS W3C format logs not being mapped by filebeat iis module


So we have filebeat on prem, sending iis logs onto an elastic cloud stack, with the iis modules enabled, we are having this error: " Provided Grok expressions do not match field value ". I've checked the raw iis logs and the fields seems to be off compared to the default.json grok pattern for the iis module. Is there any specific format that the iis logs should be saved or any other way to parse the logs into the message field and split that into further different fields.

The iis W3C logs have the following fields to them:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) sc-status sc-substatus sc-win32-

so any suggestions?


Hi @fadil030889,

In principle filebeat modules are intended to support default log formats of services. For each module we have a set of log examples so we can automatically test that they are supported. You can find the test files for IIS here.

If you have some logs in the default format of IIS and they are not being parsed, could you paste here some of them so we can try and add them to our test suite?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.