Using beats input

Im having a bit of a problem and i cant seem to solve it so hopefully someone here can help :slight_smile:

I have multiple servers running various beats (filebeat, winlogbeat, metricbeat). These are all configured to ship to logstash. Filebeat is currently configured to ship the IIS log that is generated from the websites that reside on the servers

This is all working great and all of my metrics and events are coming in and available in Kibana as expected. The IIS logs are also coming in fine, however my grok filter isnt being applied so the details are all in a single message block rather than being split out. I have tested the grok setup and that is fine.

The problem is that i have an if statement saying that only type IIS should have the grok applied everything else should go through as normal. When i check the records under filebeat-* in kibana they are showing as type log, so not being picked up as IIS logs.

How do i specify that these are IIS logs and ensure that the type is set correctly? Or is there another way of specifying which are IIS logs to be filtered and what is everything else?

Thank you so much, this will help me get my implementation off the ground!

You can set the type of the IIS events in the Filebeat configuration. IIRC the option is called document_type.

Perfect thank you

I never looked into the filebeat-full.yml so missed that field. I have changed that to IIS and its working correctly now. The message is now being broken down correctly

Now to set a dashboard up :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.