Logstash not filtering IIS message into fields in Kibana

Hi There,
I have setup Elasticsearch, Logstash, Kibana and filebeat 6.5.4 version on Windows server 2012 R2. I have configured Filebeat to collect the logs of IIS and send to logstash.
In kibana I can see the IIS logs but im not able to filter “message” using grok filtering. Below is the configuration of Filebeat, Logstash

</> filebeat.prospectors:

  • type: log
    enabled: true
    paths:
    #- /var/log/*.log
    #- c:\programdata\elasticsearch\logs*

    • C:\inetpub\logs\LogFiles**
      fields:
      type: iis
      output.logstash:

    hosts: ["192.168.1.10:5044"]

</> LogStash cong file (this file is in D:\logstash-6.5.4\bin)
input {
beats {
port => 5044
type => "iis"
}
}
output {
elasticsearch {
hosts => "192.168.1.12:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

</> Input.conf ( input configuration file)
input {
beats {
file {
path => "C:\inetpub\logs\LogFiles**"
type => iis
port => 5044
}
}

</> IIS filter configuration
filter {
if [type] ==> "iis" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp}\s%{IPORHOST:S-IP}\s%{WORD:CS-Method}\s%{URIPATH:CS-URI-Stem} (?:-|"%{URIPATH:CS-URI-Query}")\s%{NUMBER:SERVER-Port} %{NOTSPACE:CS-Username}\s%{IPORHOST:CLIENT-IP}\s%{NOTSPACE:CS-UserAgent}\s%{NOTSPACE:CS-Referer}\s%{NOTSPACE:CS-Host}\s%{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:SC-Bytes} %{NUMBER:CS-Bytes} %{NUMBER:Time-Taken}"}
}
}
}

</> Elasticsearch Output configuration file
output {
elasticsearch {
hosts => ["192.168.1.12:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

What does an input line look like?

Thanks badger for the reply...

input {
beats {
file {
type => iis
port => 5044
}
}
}

Not the input configuration, what does one line of the IIS log look like?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.