Parsing IIS logs having two different format

I have iss giving logs in below format:

September 16th 2017, 20:24:50.440 - - [14/Jul/2017:08:34:57 +0545] "GET /erport.aspx HTTP/1.1" 200 875
September 16th 2017, 20:24:50.440	2017-09-15 23:40:41 W3SVC2 WIN-JKLSIPLS GET /erport.aspx - 80 - ANDROID/9AppsClient/84/ - 200 0 0 2

How to create rule to match both of the log lines?

I am trying using:

grok {
          match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} (%{URI:referer})? %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]

You can list multiple expressions in a single grok filter. There's a syntax example in the grok documentation.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.