Parsing IIS logs having two different format

kitex · September 17, 2017, 4:39am

I have iss giving logs in below format:

September 16th 2017, 20:24:50.440	6.22.40.176 - - [14/Jul/2017:08:34:57 +0545] "GET /erport.aspx HTTP/1.1" 200 875
September 16th 2017, 20:24:50.440	2017-09-15 23:40:41 W3SVC2 WIN-JKLSIPLS 172.16.40.87 GET /erport.aspx - 80 - 23.16.82.25 ANDROID/9AppsClient/84/3.0.5.6/805/SM-G7102/4.4.2/19/720x1280 - appmango.com.hk 200 0 0 2

How to create rule to match both of the log lines?

I am trying using:

grok {
          match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} (%{URI:referer})? %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]
	   }

magnusbaeck · September 18, 2017, 1:28pm

You can list multiple expressions in a single grok filter. There's a syntax example in the grok documentation.

system · October 16, 2017, 1:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.