So I (through much effort and a kind soul on Reddit) finally got a full ELKStack setup up and running where by the ELKStack lives on a Windows Machine. (Microsoft house) The Logs/Data I care about is from IIS on other windows remote web servers. I have IIS pumping in to Kibana via direct-to-elastic filebeat and the built-in IIS module.
The next part I'm looking for is this:
It seems IIS logs just pump their main log-lines into the "message" field in Kibana. So I have a single field called "message" that has the entire log-line from IIS in it.
The "message" field looks something like:
2019-10-25 07:03:45 W3SVC8 10.173.5.113 GET /my/path/to/things.htm - 443 - 22.214.171.124 Mozilla/5.0+(Linux;+Android+6.0.1;+Nexus+5X+Build/MMB29P)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/41.0.2272.96+Mobile+Safari/537.36+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html) - - www.mydomain.com 200 0 0 118799 1428 406 126.96.36.199
That's pretty useless. I'm looking to parse those out into more useful fields (i.e. - IIS.Client.Useragent) and from what I'm reading, I need to use a "Grok Filter" that seems to go into some YML file somewhere?
So If I can find resources that help me do this myself, that's great and I'll take care of it.
Honestly though, having somebody around in the U.S. (For timezone reasons, also Company can pay a consulting fee) who knows this kind of thing (specifically the Windows Deployment) would be ideal. I have a ton of questions and trying to comb through all the Linux folks and various pieces of semi-disparate documentation is proving difficult.
So! What I'm looking for:
A) You have a little bit of time to answer questions and help a guy out for a fee. Just having somebody with experience on a windows deployment would be amazing.
B) You know where I can find documentation on WHERE/HOW to apply the grok filter and maybe some examples of IIS W3C log Grok Filters that I can tool around with.