Parsing problem for iis server error log using filebeat 6.3.2


(Varun) #1

My IIS HTTPERROR log is like below

2018-07-11 05:02:45 10.100.4.168 51477 10.100.4.97 47001 HTTP/1.1 GET /..\pixfir~1\how_to_login.html 403 - Forbidden -

i am getting parse error in filebeat. How to solve it ?

Grock expression in filebeat-6.3.2-windows-x86_64\module\iis\error\ingest.json is like below. I didn't change it, it's default value

 {
  "description": "Pipeline for parsing IIS error logs. Requires the geoip plugin.",
  "processors": [{
    "grok": {
      "field": "message",
      "patterns":[
        "%{TIMESTAMP_ISO8601:iis.error.time} %{IPORHOST:iis.error.remote_ip} %{NUMBER:iis.error.remote_port} %{IPORHOST:iis.error.server_ip} %{IPORHOST:iis.error.server_port} (?:HTTP/%{NUMBER:iis.error.http_version}|-) (?:%{WORD:iis.error.method}|-) (?:%{URIPATHPARAM:iis.error.url}|-)(?: -)? (?:%{NUMBER:iis.error.response_code}|-) (?:%{NUMBER}|-) (?:%{NOTSPACE:iis.error.reason_phrase}|-) (?:%{NOTSPACE:iis.error.queue_name}|-)"
      ],
      "ignore_missing": true
    }
  }, {
    "remove":{
      "field": "message"
    }
  }, {
    "rename": {
      "field": "@timestamp",
      "target_field": "read_timestamp"
    }
  }, {
    "date": {
      "field": "iis.error.time",
      "target_field": "@timestamp",
      "formats": ["yyyy-MM-dd HH:mm:ss"]
    }
  }, {
    "remove": {
      "field": "iis.error.time"
    }
  }, {
    "geoip": {
      "field": "iis.error.remote_ip",
      "target_field": "iis.error.geoip"
    }
  }],
  "on_failure" : [{
    "set" : {
      "field" : "error.message",
      "value" : "{{ _ingest.on_failure_message }}"
    }
  }]
}

Please help. Thanks


(Varun) #2

please help


(ruflin) #3

Can you share the error you get?


(Varun) #4

it's saying provided grok expression can't parse the log i specified

"provided grok expression do not match field value"


(ruflin) #5

It looks like %{IPORHOST:iis.error.server_port} should match 47001 in the above. Is that as expected?


IIS Module - not groking
(Varun) #6

yes it's expected. what about http version ? i think there is some issue


(Varun) #7

did you find anything?


(Varun) #8

Sir, i found the problem. I don't know the solution. Please help

Problem is with "/..\pixfir~1\how_to_login.html"
A section in the grok as "(?:%{URIPATHPARAM:iis.error.url}|-)(?: -)? " cannot parse the log fully pic as below.

If i remove this portion from both log and grok all working well . attached picture for it

Please help. Thanks


(Varun) #9

please help


(system) #10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.