Hello,
I try to parse my IIS log but the problems is that my kibana doesn't recognize the index pattern (logstash_iis-*).
Here the IIS logstash configuration file (/etc/logstash/conf.d/logstash_iis.conf)
input {
file {
type => "IISLog"
path => "/var/log/ELS/portail1/*.log"
path => "/var/log/ELS/portail2/*.log"
path => "/var/log/ELS/portail3/*.log"
path => "/var/log/ELS/portail4/*.log"
start_position => "beginning"
}
}
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} (%{URI:referer})? %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]
}
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UCT"
}
useragent {
source=> "useragent"
prefix=> "browser_"
}
mutate {
remove_field => [ "log_timestamp"]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["MyELIP:9200"]
index => "logstash_iis-%{+YYYY.MM.dd}"
}
}
Log file for Logstash (/var/log/logstash)
I restarted all the ELK service but I still have this issue
Do you have any idea on this ? Thanks
Michael