Parsing problem for iis server log using filebeat 6.3.2

i have a log like below

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2018-08-28 18:24:25
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2018-08-28 18:24:25 [10.100.220.70](http://10.100.220.70) GET / - 80 - [10.100.118.31](http://10.100.118.31) Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR[+2.0.50727](tel:+2050727);+.NET+CLR+3.0.30729) 404 4 2 792

I have installed filebeat and configure the filebeat yml file as below

#=========================== Filebeat inputs =============================

filebeat.inputs:

- type: log
  document_type: iis

  enabled: false

#============================= Filebeat modules ===============================

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml

  reload.enabled: false

and i setup iis module as below

- module: iis
  access:
    enabled: true
    var.paths: ["C:/inetpub/logs/LogFiles/*/*.log"]

  error:
    enabled: true
    var.paths: ["C:/Windows/System32/LogFiles/HTTPERR/*.log"]

but i am getting log cannot parse error, what to do ?

Can you post the complete log message please?

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2018-08-28 18:24:25
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2018-08-28 18:24:25 [10.100.220.70](http://10.100.220.70) GET / - 80 - [10.100.118.31](http://10.100.118.31) Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR[+2.0.50727](tel:+2050727);+.NET+CLR+3.0.30729) 404 4 2 792

This is a very different log message. In fact it looks like the beginning of a log file?

Does this log fail as well?

What exactly does the error message say?

I think the filebeat module was tested with IIS 10. Which version are you using? 7.5?

yes ours is iis 7.5. what to do now ?

what about custom log formating using grok? how to do it?

i am attaching the log error getting in kibana

Unfortunately IIS module does not support overwriting the grok pattern (nginx does by now). Feel free to open a github issue for custom grok patterns, but also IIS 7.5.

You log looks most similar to the IIS grok pattern here:

You log is missing the iis.access.referrer field.

Modules are just config objects. You can try to update the module by adding a new grok pattern and update the ingest node pipeline in your local installation.

sir there is another issue. both s-ip and c-ip values are not in IPHOST format
s-ip =[10.100.220.70](http://10.100.220.70)

c-ip =[10.100.118.31](http://10.100.118.31)

how do i create a grok for it?
i tried a grok by removing referer, still not working because of this ip format

please help

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.