I'm trying to setup Filebeats to directly ship some IIS logs to ElasticSearch. While it appears my logs are getting picked up and making it to the server, when I open the Logs section in Kibana I get an entry but it's an error. For 6.6.0, the error is "failed to format message from C:\inetpub\logs\LogFiles\W3SVC2\u_ex190225.log". I read somewhere that there was an issue with the IIS module that was fixed in 6.7. Since 6.7 is not out, I tried 7.0.0-beta1 and there I still get the error "failed to find message". I'm not entirely sure how all the configurations work. I checked the \filebeat\module\iis\access\ingest\default.json file and the first pattern seems to match my log file format. The yyyy-MM-dd HH:mm:ss date format under iis.access.time also seems good. At this point, I'm not sure where else to look to troubleshoot this and am not finding anything in the docs.
Could you please share your configuration and an example event which contains the error you get?
Have you updated the IIS pipeline on your ES instance? It might not be updated without calling ./filebeat setup --pipelines -modules=iis.
I ran that command and it doesn't appear to have changed anything. Below are my config files, filebeat.yml and iis.yml. Can you give me some more info on how I can get this example event that contains the error, I'm brand new to this product so can't say that I know where I would get that.
filebeat.yml (commented out lines removed for brevity)
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: false
# Paths that should be crawled and fetched. Glob based paths.
#paths:
#- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
#============================= Filebeat modules ===============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "http://192.168.1.25:5601"
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["192.168.1.25:9200"]
#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
iis.yml
- module: iis
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["C:/inetpub/logs/LogFiles/W3SVC2/*.log"]
# Error logs
error:
enabled: false
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["C:/Windows/System32/LogFiles/HTTPERR/*.log"]Any information on getting an example event as requested? I've been searching the docs all over for something like that and have yet to find anything.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.