Missing values IIS Module

Hello,

I’m using the IIS module from filebeat.

I’ve giving it a default configuration because i do not require anymore at this moment.

Now i’m running into the problem that the data does not get correctly ingested by Elasticsearch.

When looking up a field in Kibana like “iis.access.request_time_ms” (It’s hidden btw like all the other fields) i get the following message:

“This field is present in your elasticsearch mapping but not in any documents in the search results. You may still be able to visualize or search on it”

When looking at the records i can confirm that we have data in the JSON:

{ "access": { "server_name": "<server>", "response_code": "200", "cookie": "-", "method": "HEAD", "sub_status": "0", "user_name": "-", "http_version": "1.0", "url": "<url>", "site_name": "<sitename>", "referrer": "-", "body_received": { "bytes": "101" }, "hostname": "<hostname>", "remote_ip": "<remote ip>", "port": "80", "server_ip": "<server ip>", "body_sent": { "bytes": "265" }, "win32_status": "0", "request_time_ms": "46", "query_string": "-", "user_agent": { "os": "Other", "name": "Other", "os_name": "Other", "device": "Other" }

So as you can see there is data for the fields but it does not get reconized.

I’ve already deleted the indexes and let them create a new.

I’ve refreshed the index pattern several times.

But no results.

Looking in the elasticsearch log there are no indications that the ingest goes wrong.

Anyone got any tips on how to troubleshoot this?

I’ve included my filebeat config. (Please note that i’m required to anonymize the information)

 #=========================== Filebeat inputs =============================
filebeat.inputs:
-type: log
enabled: false

#============================= Filebeat modules ===============================
filebeat.config.modules:
#Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml

#Set to true to enable config reloading
reload.enabled: false

#Period on which files under path should be checked for changes
#reload.period: 10s

#==================== Elasticsearch template setting ==========================
setup.template:
name: <name>
pattern: <name>
setup.template.settings:
index.number_of_shards: 5

#================================ General =====================================
tags: ["<application>"]

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:

#Array of hosts to connect to.
hosts: ["http://<ip>:9200"]
index: "<name>-%{+yyyy.MM.dd}"
#================================ Procesors =====================================
processors:
-add_host_metadata: ~
-add_cloud_metadata: ~

Thanks and regards!

Please format configs and logs using the </> button.

It seems events are properly indexed, but your kibana is not setup correctly.

One can use filebeat setup to also setup kibana and pre-create the index pattern. The index patterns is some internal representation of an index in kibana, with additional meta-data. A field becomes 'discoverable' only if it part of the index pattern. That's why you have to update the index pattern in kibana every now and so often. Using filebeat setup we can pre-create the index pattern.

You maybe need to expand your time range that you are viewing in Kibana -
I thought that I wasn't getting data, but by default with the IIS module it starts at the beginning of the logs and works backwards from there.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.