Parsing IIS log Issue

Elastic Stack Logstash
1

Hello,

I try to parse my IIS log but the problems is that my kibana doesn't recognize the index pattern (logstash_iis-*).

Here the IIS logstash configuration file (/etc/logstash/conf.d/logstash_iis.conf)

 input {
	file {
		type => "IISLog"
		path => "/var/log/ELS/portail1/*.log"
		path => "/var/log/ELS/portail2/*.log"
		path => "/var/log/ELS/portail3/*.log"
		path => "/var/log/ELS/portail4/*.log"
		start_position => "beginning"
	}
}

filter {
	grok {
        match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} (%{URI:referer})? %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]
	}
  
	date {
		match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
		timezone => "Etc/UCT"
	}
	
	useragent {
		source=> "useragent"
		prefix=> "browser_"
	}
	
	mutate {
		remove_field => [ "log_timestamp"]
	}
}

output {
    stdout { codec => rubydebug }
	elasticsearch { 
	hosts => ["MyELIP:9200"]
	index => "logstash_iis-%{+YYYY.MM.dd}"	
	}
}

Log file for Logstash (/var/log/logstash)

Screenshot_1.jpg1821×471 209 KB

I restarted all the ELK service but I still have this issue
Do you have any idea on this ? Thanks

Michael

2

I try with another ELK server and it's working so for me the logstash configuration file is good. I don't know why, on this server it doesn't working....

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.