So we have filebeat on prem, sending iis logs onto an elastic cloud stack, with the iis modules enabled, we are having this error: " Provided Grok expressions do not match field value ". I've checked the raw iis logs and the fields seems to be off compared to the default.json grok pattern for the iis module. Is there any specific format that the iis logs should be saved or any other way to parse the logs into the message field and split that into further different fields.
The iis W3C logs have the following fields to them:
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) sc-status sc-substatus sc-win32-
so any suggestions?