I am using ELK 7.2. I am using iis module to ship iis access logs to es. I am seeing this error.
error.message Provided Grok expressions do not match field value: [2019-02-09 09:40:50 10.44.0.136 OPTIONS * - 8080 - 10.50.6.180 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 400 0 2148734208 0]
message 2019-02-09 09:40:50 10.44.0.136 OPTIONS * - 8080 - 10.50.6.180 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 400 0 2148734208
Here is my log file
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2019-06-27 00:26:10 10.44.3.151 GET /sanity/Insights/Insights_Level1_Sanity_Report_2019_06_15-03_39_03_10.6.1_BI_Firefox.html - 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 - 200 0 0 93
2019-06-27 00:26:10 10.44.3.151 GET /favicon.ico - 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 - 200 0 0 0
2019-06-27 00:26:15 10.44.3.151 GET / - 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 - 401 0 0 515
2019-06-27 00:26:25 10.44.3.151 GET / - 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 - 200 0 0 1187
2019-06-27 00:26:25 10.44.3.151 GET /Content/css v=8QYbSmx8DXbv5uGsZSvpiAsV5ev6-C7dT0ccPMSxUCQ1 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.abc.test.com/ 200 0 0 0
2019-06-27 00:26:25 10.44.3.151 GET /bundles/jquery v=FVs3ACwOLIVInrAl5sdzR2jrCDmVOWFbZMY6g6Q0ulE1 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 401 0 0 0
2019-06-27 00:26:25 10.44.3.151 GET /bundles/bootstrap v=2Fz3B0iizV2NnnamQFrx-NbYJNTFeBJ2GM05SilbtQU1 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 401 0 0 0
2019-06-27 00:26:25 10.44.3.151 GET /bundles/modernizr v=wBEWDufH_8Md-Pbioxomt90vm6tJN2Pyy9u9zHtWsPo1 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 401 0 0 0
2019-06-27 00:26:25 10.44.3.151 GET /bundles/bootstrap v=2Fz3B0iizV2NnnamQFrx-NbYJNTFeBJ2GM05SilbtQU1 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 200 0 0 15
2019-06-27 00:26:25 10.44.3.151 GET /bundles/jquery v=FVs3ACwOLIVInrAl5sdzR2jrCDmVOWFbZMY6g6Q0ulE1 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 200 0 0 15
2019-06-27 00:26:25 10.44.3.151 GET /bundles/modernizr v=wBEWDufH_8Md-Pbioxomt90vm6tJN2Pyy9u9zHtWsPo1 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 200 0 0 15
2019-06-27 00:26:25 10.44.3.151 GET /favicon.ico - 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 - 200 0 0 0
Surprisingly when I pointed this filebeat to send logs to my test instance which is ES 7.1 it works fine and I dont see these errors.