Logstash template for different IIS versions

Elastic Stack Logstash
1

Hello,
I would like to create a logstash template that uses different grok filters for different IIS log versions. So far, Im using an if statement to check the message if contains IIS log version 10.0 or else for older versions like 6.5 and 7.5. The problem is that it uses the grok filter in the first if and it skips the one in the else statement. Here is how my template looks:

input {
	file {
		type => "IISLog"
		path => "C:/log/*.log"
		start_position => "beginning"
	}
}

filter {
	# check IIS version
	if "10" in [message] {

		# ignore log comments
		if [message] =~ "^#" {
			drop {}
		}
 
 		# check that fields match your IIS log settings
		grok {
        	match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{NOTSPACE:service_name} %{HOSTNAME} %{IPV6:server_ip_address} %{WORD:method} %{URIPATH:endpoint} %{NOTSPACE:uri_query} %{NUMBER:server_port} %{USERNAME} %{IP:client_ip} %{NOTSPACE:protocol_version} %{NOTSPACE:useragent} %{NOTSPACE:cookie} %{NOTSPACE:previous_url} %{HOSTNAME:host_header} %{NUMBER:status} %{NUMBER:substatus} %{NUMBER:status_win} %{NUMBER:sent_bytes} %{NUMBER:recieved_bytes} %{NUMBER:time_taken}"]
		} 
	
	} else {

		# ignore log comments
		if [message] =~ "^#" {
			drop {}
		}
 
 		# check that fields match your IIS log settings
		grok {
        	match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IP:server_ip_address} %{WORD:method} %{URIPATH:endpoint} %{NOTSPACE:uri_query} %{NUMBER:server_port} %{USERNAME} %{IP:client_ip} %{NOTSPACE:useragent} %{NUMBER:status} %{NUMBER:substatus} %{NUMBER:status_win} %{NUMBER:time_taken}"]
		} 
	}
	# set the event timestamp from the log
	# https://www.elastic.co/guide/en/logstash/current/plugains-filters-date.html
	date {
		match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
		timezone => "Etc/UCT"
	}
	
	# matches the big, long nasty useragent string to the actual browser name, version, etc
	# https://www.elastic.co/guide/en/logstash/current/plugins-filters-useragent.html
	useragent {
		source=> "useragent"
		prefix=> "browser_"
	}
		
	mutate {
		remove_field => [ "log_timestamp"]
	}
}

# output logs to console and to elasticsearch
output {
    stdout { codec => rubydebug }
	elasticsearch { 
	hosts => ["127.0.0.1:9200"] 
	index => "logstash-%{+YYYY.MM.dd}"
	manage_template => true
	template => "C:\logstash-7.6.0\bin\template.json"
	template_overwrite => "true"
	codec => json
	}
}
2

any suggestions? I dont understand where is the error in the if else cycle
@magnusbaeck

3

That will evaluate to true if 10 occurs anywhere in the entire message. As a fragment of an IP address, in the timetaken, in the timestamp, in the useragent etc. You need a more specific test.

4

After I tried everything I found the fix in this post.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.