.NET W3C format webserver access logs on Linux

Before I go down the path of creating something custom to bring in W3C format access logs generated from .NET https server apps on Linux, I wanted to make sure there wasn’t some easier way to do it with an existing integration.

The logs are the default setting with X-Forwarded-For, so they would be similar to what is collected from IIS, though they have a much different naming.

Any insight before I venture down the custom log path is greatly appreciated.

Thanks,
Tim

Hi @approve

Best way for us to help is post us a couple samples of the log lines...
Most likely there is already something or something that's very close

Here is the header at beginning of log file showing fields, and a few creatively redacted lines (this is a dev box so the x-forwarded-for is just “-” but it contains an IP on prod boxes and is often populated from cf-connecting-ip rather than x-forward-for):

#Version: 1.0
#Start-Date: 2025-09-01 11:14:24
#Fields: date time c-ip cs-username s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer) cs(x-forwarded-for)
2025-09-01 11:14:21 10.0.0.1 - linuxbox 10.0.0.9 443 GET / - 200 1129.4752 HTTP/2 linuxbox.foo.com Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/139.0.0.0+Safari/537.36 - - -
2025-09-01 11:14:22 10.0.0.1 - linuxbox 10.0.0.9 443 GET /FOO_WEB.styles.css - 200 57.8247 HTTP/2 linuxbox.foo.com Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/139.0.0.0+Safari/537.36 - https://linuxbox.foo.com/ - 
2025-09-01 11:14:22 10.0.0.1 - linuxbox 10.0.0.9 443 GET /js/SomeJSFile.js - 200 52.1164 HTTP/2 linuxbox.foo.com Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/139.0.0.0+Safari/537.36 - https://linuxbox.foo.com/ -

Thanks!

Hi @taprove

So the closest Integration we have is the IIS integration, it matches a number of the most popular pattern

It supports a number of patterns but unfortunately it does not appear to support your customer pattern.

I would suggest

A) Loading the integration and cloning the Ingest Pipeline and add a GROK pattern that matches your specific pattern.

or

B) Rearrange your output to match one of the OOTB patterns

C) Though not recommended you can edit the ingest pipeline from the integration but those changes will be overwritten if / when you upgrade the integration.

I can make the log match the pattern. After that would it be as simple as adding the Linux paths and patterns for the logs to the IIS Access Logs paths?

Thanks!

Apologies ... I am not quite parsing :slight_smile:

You will make the YOUR logs patterns match one of the supported Patterns for the Elastic IIS Integration?

1 Like

My apologies, I could have been clearer. I can make the application log fields match our IIS logs that are being processed already.

So matching your Application Logs to one of the Existing Supporting Patterns, then yes you can then use the IIS Integration and point it to the logs paths...

If you provide a few examples after you re-format I can show you how to do a quick test.

Excellent. I ‘ll work on getting the required changes into the code and generate a new log. It might be a little bit, but I’ll be back!

Thanks!

1 Like