Kibana Dashboard vs AWStats when showing Browser Version

Elastic Stack Kibana
1

I built a simple ELK Stack solution

  1. Uses Apache Log files as inputs
  2. Parses the Apache Log Files with Logstash and the Agent Filter
  3. Logstash Outputs events into Elasticsearch
  4. Kibana displays dashboard
  5. Kibana Dashboard shows pie chart showing requests by Browser Version
    Example Google Chrome 45.0, Google Chrome 44.0, IE 8.0, IE 9.0, IE 10.0, IE 11.0

I have a coworker who built a similar solution that uses AWStats to count requests by Browser Version.

My Question
Can anyone think of why my coworker's AWStats solution does not show any requests for the browser version IE 11.0? My ELK Stack Solution clearly shows that there are about 5% of our website requests coming from browser IE 11.0, my guess is that AWStats does not recognize the Browser Version IE 11.0 since AWStats is an older technology and was probably written long before IE 11.0 ever existed.

Of course I have management asking me why they should trust the Dashboards created by my ELK Stack Solution vs trusting the AWStats Solution. I love the ELK Stack and completely trust the numbers that are displayed on my Kibana Dashboard. I am just not sure what to tell Management because I do not completely understand how AWStats is capturing the Browser Version vs how the ELK Stack is counting the browser version. Any advice?

Versions Used
Windows 7
Elasticsearch v1.7.0
Logstash v1.5.4
Kibana v4.1.1

2

Including some screenshots of your raw documents in Kibana and resulting visualizations would help.

Kibana just displays data available in Elasticsearch. In the case of user agent string, the logic in parsing the raw string into something that looks like useragent.name "IE" and useragent.major "11" is in Logstash. However, the raw user agent string should still be stored both in _source and in the field called "agent".

In order to prove that Kibana is showing the right thing, you may consider going to Discover, filtering on the parsed fields and showing them the raw agent strings. Since AWstats is not showing any IE 11 activity, proving that even one IE11 agent string was originally in your logs should show that AWstats was wrong.

Note that there are many IE11 useragent strings: http://blogs.msdn.com/b/ieinternals/archive/2013/09/21/internet-explorer-11-user-agent-string-ua-string-sniffing-compatibility-with-gecko-webkit.aspx

Screen Shot 2015-10-10 at 7.44.10 AM.png2872×1558 327 KB

3

Thank you for your response. Turns out that the reason AWStats was not showing IE 11.0 requests was because there was a bug reported in an earlier version of AWStats. My understanding is that the issue has been fixed with the latest version of AWStats. Go figure :smile:

1 Like