Seeing error in IIS module

Elastic Stack Beats
1

Hi
@pierhugues
@Kaiyan_Sheng

I am using ELK 7.2. I am using iis module to ship iis access logs to es. I am seeing this error.

error.message Provided Grok expressions do not match field value: [2019-02-09 09:40:50 10.44.0.136 OPTIONS * - 8080 - 10.50.6.180 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 400 0 2148734208 0]

message 2019-02-09 09:40:50 10.44.0.136 OPTIONS * - 8080 - 10.50.6.180 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 400 0 2148734208

Here is my log file

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2019-06-27 00:26:10 10.44.3.151 GET /sanity/Insights/Insights_Level1_Sanity_Report_2019_06_15-03_39_03_10.6.1_BI_Firefox.html - 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 - 200 0 0 93
2019-06-27 00:26:10 10.44.3.151 GET /favicon.ico - 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 - 200 0 0 0
2019-06-27 00:26:15 10.44.3.151 GET / - 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 - 401 0 0 515
2019-06-27 00:26:25 10.44.3.151 GET / - 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 - 200 0 0 1187
2019-06-27 00:26:25 10.44.3.151 GET /Content/css v=8QYbSmx8DXbv5uGsZSvpiAsV5ev6-C7dT0ccPMSxUCQ1 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.abc.test.com/ 200 0 0 0
2019-06-27 00:26:25 10.44.3.151 GET /bundles/jquery v=FVs3ACwOLIVInrAl5sdzR2jrCDmVOWFbZMY6g6Q0ulE1 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 401 0 0 0
2019-06-27 00:26:25 10.44.3.151 GET /bundles/bootstrap v=2Fz3B0iizV2NnnamQFrx-NbYJNTFeBJ2GM05SilbtQU1 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 401 0 0 0
2019-06-27 00:26:25 10.44.3.151 GET /bundles/modernizr v=wBEWDufH_8Md-Pbioxomt90vm6tJN2Pyy9u9zHtWsPo1 443 - 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 401 0 0 0
2019-06-27 00:26:25 10.44.3.151 GET /bundles/bootstrap v=2Fz3B0iizV2NnnamQFrx-NbYJNTFeBJ2GM05SilbtQU1 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 200 0 0 15
2019-06-27 00:26:25 10.44.3.151 GET /bundles/jquery v=FVs3ACwOLIVInrAl5sdzR2jrCDmVOWFbZMY6g6Q0ulE1 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 200 0 0 15
2019-06-27 00:26:25 10.44.3.151 GET /bundles/modernizr v=wBEWDufH_8Md-Pbioxomt90vm6tJN2Pyy9u9zHtWsPo1 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 https://reports.ags.esri.com/ 200 0 0 15
2019-06-27 00:26:25 10.44.3.151 GET /favicon.ico - 443 AVWORLD\abcd2810 10.29.78.160 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:67.0)+Gecko/20100101+Firefox/67.0 - 200 0 0 0

Surprisingly when I pointed this filebeat to send logs to my test instance which is ES 7.1 it works fine and I dont see these errors.

2

Hello @syedsfayaz, I tested with the logs you attached with master branch of filebeat and it works fine :smile: What version of filebeat are you using?

3

@Kaiyan_Sheng its 7.2 . This works fine with ES 7.1 but I am seeing this error on ES 7.2

4

@Kaiyan_Sheng added the correct log.

2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..À¯..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 0
2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..ÁÁ..ÁÁ..ÁÁ..ÁÁ..ÁÁ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 2 46
2018-12-31 12:02:53 10.44.0.136 GET /Director - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0
2018-12-31 12:02:53 10.44.0.136 GET / - 443 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 401 0 0 0
2018-12-31 12:02:53 10.44.0.136 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:\+/OG 8080 - 10.50.6.188 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 404 0 64 15
5

These logs failed with both 7.2 Filebeat and master. Could you please create a github issue for this please?

6

one more thing. I don't see all these fields on my prod instance(ES 7.2) where as I see this on my test instance(ES7.1).

Test_Instance:-

image
image.png1116×699 42.9 KB

Prod_Instance

image
image.png1504×399 23.2 KB

7

@Kaiyan_Sheng Can you please tell me a work around for this issue. It might take some time for this to get fixed.