Hi,
I have a elk stack installed on windows server and I am trying to input grok filter for IIS. Where do I put that? Is it on the logstash config file? When I place it on there, I lose connection from filebeats.
input {
beats {
port => 5044
ssl => true
ssl_certificate_authorities => ["C:/temp/WinlogBeatsSSL/RootCA.crt"]
ssl_certificate => "C:/temp/WinlogBeatsSSL/cert.crt"
ssl_key => "C:/temp/WinlogBeatsSSL/server.key"
}
}
filter {
if [type] == "iis" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:S-SiteName} %{NOTSPACE:S-ComputerName} %{IPORHOST:S-IP} %{WORD:CS-Method} %{URIPATH:CS-URI-Stem} (?:-|"%{URIPATH:CS-URI-Query}") %{NUMBER:S-Port} %{NOTSPACE:CS-Username} %{IPORHOST:C-IP} %{NOTSPACE:CS-Version} %{NOTSPACE:CS-UserAgent} %{NOTSPACE:CS-Cookie} %{NOTSPACE:CS-Referer} %{NOTSPACE:CS-Host} %{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:SC-Bytes} %{NUMBER:CS-Bytes} %{NUMBER:Time-Taken}"}
}
}
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
Or do I save it as a config file (.config) and place in the config folder? If so, how does logstash know to use that config file?
Thanks,
Pat