Hi There,
I have setup Elasticsearch, Logstash, Kibana and filebeat 6.5.4 version on Windows server 2012 R2. I have configured Filebeat to collect the logs of IIS and send to logstash.
In kibana I can see the IIS logs but im not able to filter “message” using grok filtering. Below is the configuration of Filebeat, Logstash
</> filebeat.prospectors:
-
type: log
enabled: true
paths:
#- /var/log/*.log
#- c:\programdata\elasticsearch\logs*- C:\inetpub\logs\LogFiles**
fields:
type: iis
output.logstash:
hosts: ["192.168.1.10:5044"]
- C:\inetpub\logs\LogFiles**
</> LogStash cong file (this file is in D:\logstash-6.5.4\bin)
input {
beats {
port => 5044
type => "iis"
}
}
output {
elasticsearch {
hosts => "192.168.1.12:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
</> Input.conf ( input configuration file)
input {
beats {
file {
path => "C:\inetpub\logs\LogFiles**"
type => iis
port => 5044
}
}
</> IIS filter configuration
filter {
if [type] ==> "iis" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp}\s%{IPORHOST:S-IP}\s%{WORD:CS-Method}\s%{URIPATH:CS-URI-Stem} (?:-|"%{URIPATH:CS-URI-Query}")\s%{NUMBER:SERVER-Port} %{NOTSPACE:CS-Username}\s%{IPORHOST:CLIENT-IP}\s%{NOTSPACE:CS-UserAgent}\s%{NOTSPACE:CS-Referer}\s%{NOTSPACE:CS-Host}\s%{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:SC-Bytes} %{NUMBER:CS-Bytes} %{NUMBER:Time-Taken}"}
}
}
}
</> Elasticsearch Output configuration file
output {
elasticsearch {
hosts => ["192.168.1.12:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}