Where do I place Grok Filter for IIS on logstash

patricktula · April 14, 2018, 4:14pm

Hi,

I have a elk stack installed on windows server and I am trying to input grok filter for IIS. Where do I put that? Is it on the logstash config file? When I place it on there, I lose connection from filebeats.

input {
beats {
port => 5044
ssl => true
ssl_certificate_authorities => ["C:/temp/WinlogBeatsSSL/RootCA.crt"]
ssl_certificate => "C:/temp/WinlogBeatsSSL/cert.crt"
ssl_key => "C:/temp/WinlogBeatsSSL/server.key"

}
}
filter {
if [type] == "iis" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:S-SiteName} %{NOTSPACE:S-ComputerName} %{IPORHOST:S-IP} %{WORD:CS-Method} %{URIPATH:CS-URI-Stem} (?:-|"%{URIPATH:CS-URI-Query}") %{NUMBER:S-Port} %{NOTSPACE:CS-Username} %{IPORHOST:C-IP} %{NOTSPACE:CS-Version} %{NOTSPACE:CS-UserAgent} %{NOTSPACE:CS-Cookie} %{NOTSPACE:CS-Referer} %{NOTSPACE:CS-Host} %{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:SC-Bytes} %{NUMBER:CS-Bytes} %{NUMBER:Time-Taken}"}
}
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

Or do I save it as a config file (.config) and place in the config folder? If so, how does logstash know to use that config file?

Thanks,
Pat

patricktula · April 14, 2018, 5:46pm

Oh on filebeat side I have this:

filebeat.prospectors:

input_type: log

paths:
- C:\inetpub\logs\LogFiles**
  document_type: iis
fields:
client: pat

output.logstash:
hosts: ["corputility001w:5044"]
ssl.certificate_authorities: ["c:/programdata/winlogbeat/Rootca.crt"]
ssl.certificate: "c:/programdata/winlogbeat/cert.crt"
ssl.key: "c:/programdata/winlogbeat/detexian/server.key"

logging.level: info

logging.selectors: ["*"]

system · May 12, 2018, 5:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.