[ SOLVED] Remove IIS log

Alexis.d · August 17, 2016, 10:08am

Hey there,

I need some help :).

I work with ELK and Nxlog for my IIS log and it's work fine but i want to log only errors on my web sites and remove all log with sc-status 200 sc-win32-status 0 .

Here an exemple of logging:

2016-08-12 08:02:09 W3SVC1 WEB ip GET /categorie.aspx categorie=403848 80 - ip HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:47.0)+Gecko/20100101+Firefox/47.0 http://exemple/categorie.aspx?categorie=403839 www.exemple.es 200 0 0 26088 5092 764

Here some errors : 404

2016-08-12 08:02:23 W3SVC1 WEB-01 ip GET /graphics/zoomout.cur - 80 - ip HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+Trident/7.0;+rv:11.0)+like+Gecko http://www.exemple.es/ficheProduit.aspx?produit=5032918 www.exemple.es 404 0 2 1427 6505 109

Status 200 but win32 stauts 64 :
2016-08-12 08:03:55 W3SVC1 WEB ip GET /TagFacebook.aspx page=/accueil.aspx 80 - ip HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:47.0)+Gecko/20100101+Firefox/47.0 http://www.exemple.es/accueil.aspx www.exemple.es 200 0 32 0 5684 31

I have simple configuration of logstash :

input { tcp { port => "5044" type => "iislog" codec => json } } filter { json { source => "message" } if "_jsonparsefailure" in [tags] { drop {} } } output { elasticsearch { hosts => "localhost:9200" manage_template => false index => "%{type}-%{+YYYY.MM.dd}" document_type => "%{[@metadata][type]}" } }

Json code in Kibana

{ "_index": "iislog-2016.08.12", "_type": "%{[@metadata][type]}", "_id": "AVZ_N_fC8UR-Fmnrfwe6", "_score": null, "_source": { "EventReceivedTime": "2016-08-12 16:49:28", "SourceModuleName": "in", "SourceModuleType": "im_file", "date": "2016-08-12", "time": "14:38:10", "s-sitename": "W3SVC1", "s-computername": "WEB", "s-ip": "ip", "cs-method": "GET", "cs-uri-stem": "/AppMobile.aspx", "cs-uri-query": "some query", "s-port": 80, "cs-username": null, "c-ip": "ip", "csUser-Agent": "HTTP/1.1", "cs-version": "Mozilla/5.0+(Linux;+Android+6.0;+ALE-L21+Build/HuaweiALE-L21)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/52.0.2743.98+Mobile+Safari/537.36", "cs-host": null, "cs-Referer": "www.exemple.es", "sc-status": 302, "sc-substatus": 0, "sc-win32-status": 0, "time-taken": 1477, "sc-bytes": 3121, "cs-bytes": 62, "SourceName": "ES", "EventTime": "2016-08-12T14:38:10Z", "@version": "1", "@timestamp": "2016-08-12T14:46:29.477Z", "host": "ip", "port": 57542, "type": "iislog" },

How i can do that if i can do that ;).

Thank for your time.

magnusbaeck · August 17, 2016, 10:40am

Use a conditional together with the drop filter.

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals

Alexis.d · August 17, 2016, 11:12am

Thanks for the reply magnus,

Something like this should work ? :

filter {
if [sc-status] == "200" and [sc-win32-status] == "0"{
drop {}
}
}

Thank for you help

magnusbaeck · August 17, 2016, 11:34am

Your values are integers and not strings so drop the quotes, but otherwise is looks fine.

Alexis.d · August 17, 2016, 11:40am

Thanks a lot i will test that.

Alexis.d · August 17, 2016, 12:46pm

It works like a charm thank magnus