Parsing problem for iis server error log using filebeat 6.3.2

varun1992 · September 14, 2018, 2:56pm

My IIS HTTPERROR log is like below

2018-07-11 05:02:45 10.100.4.168 51477 10.100.4.97 47001 HTTP/1.1 GET /..\pixfir~1\how_to_login.html 403 - Forbidden -

i am getting parse error in filebeat. How to solve it ?

Grock expression in filebeat-6.3.2-windows-x86_64\module\iis\error\ingest.json is like below. I didn't change it, it's default value

 {
  "description": "Pipeline for parsing IIS error logs. Requires the geoip plugin.",
  "processors": [{
    "grok": {
      "field": "message",
      "patterns":[
        "%{TIMESTAMP_ISO8601:iis.error.time} %{IPORHOST:iis.error.remote_ip} %{NUMBER:iis.error.remote_port} %{IPORHOST:iis.error.server_ip} %{IPORHOST:iis.error.server_port} (?:HTTP/%{NUMBER:iis.error.http_version}|-) (?:%{WORD:iis.error.method}|-) (?:%{URIPATHPARAM:iis.error.url}|-)(?: -)? (?:%{NUMBER:iis.error.response_code}|-) (?:%{NUMBER}|-) (?:%{NOTSPACE:iis.error.reason_phrase}|-) (?:%{NOTSPACE:iis.error.queue_name}|-)"
      ],
      "ignore_missing": true
    }
  }, {
    "remove":{
      "field": "message"
    }
  }, {
    "rename": {
      "field": "@timestamp",
      "target_field": "read_timestamp"
    }
  }, {
    "date": {
      "field": "iis.error.time",
      "target_field": "@timestamp",
      "formats": ["yyyy-MM-dd HH:mm:ss"]
    }
  }, {
    "remove": {
      "field": "iis.error.time"
    }
  }, {
    "geoip": {
      "field": "iis.error.remote_ip",
      "target_field": "iis.error.geoip"
    }
  }],
  "on_failure" : [{
    "set" : {
      "field" : "error.message",
      "value" : "{{ _ingest.on_failure_message }}"
    }
  }]
}

Please help. Thanks

varun1992 · September 20, 2018, 3:04pm

please help

ruflin · September 25, 2018, 5:54am

Can you share the error you get?

varun1992 · September 28, 2018, 1:57pm

it's saying provided grok expression can't parse the log i specified

"provided grok expression do not match field value"

ruflin · October 1, 2018, 6:59am

It looks like %{IPORHOST:iis.error.server_port} should match 47001 in the above. Is that as expected?

varun1992 · October 1, 2018, 12:21pm

yes it's expected. what about http version ? i think there is some issue

varun1992 · October 6, 2018, 7:07am

did you find anything?

varun1992 · October 13, 2018, 8:22am

Sir, i found the problem. I don't know the solution. Please help

Problem is with "/..\pixfir~1\how_to_login.html"
A section in the grok as "(?:%{URIPATHPARAM:iis.error.url}|-)(?: -)? " cannot parse the log fully pic as below.

If i remove this portion from both log and grok all working well . attached picture for it

Please help. Thanks

varun1992 · October 16, 2018, 10:32am

please help

system · November 13, 2018, 10:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Iis error default pipeline -- grok pattern fails for malformed url paths Beats filebeat	3	788	September 8, 2018
Filebeat IIS Access logs not parsing but Error logs are Beats filebeat	4	323	July 15, 2020
Filebeat Grok Error - IIS Beats filebeat	4	1544	September 12, 2019
Parsing problem for iis server log using filebeat 6.3.2 Beats filebeat	8	2631	October 4, 2018
_grokparsefailure tag errors parsing IIS logs using FileBeat Logstash	3	1110	January 17, 2017

Parsing problem for iis server error log using filebeat 6.3.2

Related topics