Multiple IIS logs - Add field (?)

Hi, I don't know if this goes into filebeat category, logstash or both.

I've around 50 websites on a single server. Running one instance of filebeat with IIS module enabled. My problem is that In Kibana I would like to be able to search for SiteX and show all logs/events from said site. Ideally this would be done with adding a field containing the site name.

What would be the best way of achieving this? I'm outputting filebeat to logstash where I've a grok filter matching default IIS logs.

My iis module config looks like the following:

-module: iis
#Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["F:/site1/.log"]
var.paths: ["F:/site2/.log"]
etc.

Logstash config:

input {
beats {
port => 5044
}
}
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:userAgent} %{NOTSPACE:referer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:timetaken}"]
}

Thanks in advance.

I managed to add a custom field to the filebeat output, but the field is added for all logs.
There is a metadata field called log.file.path, is there a way to match metadata field and add a field based on the value in log.file.path?

Thanks in advance.

Hello,

You could use grok on the file.path on the event and extract the name of the site and it to a custom field? I am assuming it's possible because each path is unique and maybe reflect the name of the site.

var.paths: ["F:/site1/.log"]
var.paths: ["F:/site2/.log"]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.