Logstash template for different IIS versions

wonderlust · April 21, 2020, 9:23am

Hello,
I would like to create a logstash template that uses different grok filters for different IIS log versions. So far, Im using an if statement to check the message if contains IIS log version 10.0 or else for older versions like 6.5 and 7.5. The problem is that it uses the grok filter in the first if and it skips the one in the else statement. Here is how my template looks:

input {
	file {
		type => "IISLog"
		path => "C:/log/*.log"
		start_position => "beginning"
	}
}

filter {
	# check IIS version
	if "10" in [message] {

		# ignore log comments
		if [message] =~ "^#" {
			drop {}
		}
 
 		# check that fields match your IIS log settings
		grok {
        	match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{NOTSPACE:service_name} %{HOSTNAME} %{IPV6:server_ip_address} %{WORD:method} %{URIPATH:endpoint} %{NOTSPACE:uri_query} %{NUMBER:server_port} %{USERNAME} %{IP:client_ip} %{NOTSPACE:protocol_version} %{NOTSPACE:useragent} %{NOTSPACE:cookie} %{NOTSPACE:previous_url} %{HOSTNAME:host_header} %{NUMBER:status} %{NUMBER:substatus} %{NUMBER:status_win} %{NUMBER:sent_bytes} %{NUMBER:recieved_bytes} %{NUMBER:time_taken}"]
		} 
	
	} else {

		# ignore log comments
		if [message] =~ "^#" {
			drop {}
		}
 
 		# check that fields match your IIS log settings
		grok {
        	match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IP:server_ip_address} %{WORD:method} %{URIPATH:endpoint} %{NOTSPACE:uri_query} %{NUMBER:server_port} %{USERNAME} %{IP:client_ip} %{NOTSPACE:useragent} %{NUMBER:status} %{NUMBER:substatus} %{NUMBER:status_win} %{NUMBER:time_taken}"]
		} 
	}
	# set the event timestamp from the log
	# https://www.elastic.co/guide/en/logstash/current/plugains-filters-date.html
	date {
		match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
		timezone => "Etc/UCT"
	}
	
	# matches the big, long nasty useragent string to the actual browser name, version, etc
	# https://www.elastic.co/guide/en/logstash/current/plugins-filters-useragent.html
	useragent {
		source=> "useragent"
		prefix=> "browser_"
	}
		
	mutate {
		remove_field => [ "log_timestamp"]
	}
}

# output logs to console and to elasticsearch
output {
    stdout { codec => rubydebug }
	elasticsearch { 
	hosts => ["127.0.0.1:9200"] 
	index => "logstash-%{+YYYY.MM.dd}"
	manage_template => true
	template => "C:\logstash-7.6.0\bin\template.json"
	template_overwrite => "true"
	codec => json
	}
}

wonderlust · April 21, 2020, 1:34pm

any suggestions? I dont understand where is the error in the if else cycle
@magnusbaeck

Badger · April 21, 2020, 2:55pm

That will evaluate to true if 10 occurs anywhere in the entire message. As a fragment of an IP address, in the timetaken, in the timestamp, in the useragent etc. You need a more specific test.

wonderlust · April 23, 2020, 1:44pm

After I tried everything I found the fix in this post.

system · May 21, 2020, 1:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.