Hi all,
I have a confuse question.
I need to transfer IIS logs from Exchange Server.
But the data is too huge for server.
So I want to have only wan IP log in Exchange Server to transport to graylog
And used the winlogbeat.yml
The original IIS logs:
date 2024-10-09 time 06:49:56 s-sitename W3SVC1 s-computername TEST-01 s-ip 172.16.22.11 cs-method GET cs-uri-stem /RDWeb/Pages/rdp/mstsc256_32x32.png cs-uri -query - s-port 443 cs-username kana\jim c-ip 172.16.22.80 cs-version - cs(User-Agent) Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36 +(KHTML,+like+Gecko)+Chrome/129.0.0.0+Safari/537.36+Edg/129.0.0.0 cs(Cookie) - cs(Referer) url cs- host - sc-status 200 sc-substatus 0 sc-win32-status 0 sc-bytes 4529 cs-bytes 2449 time-taken 206
What I want to do is keep the sc-status 200 and the c-p is WAN IP.
- name: Microsoft-IIS-Logging/Logs
event_id: 6200
processors: - drop_event:
when:
network:
c.ip: '172.16.22.0/24'
The ideal situation
c-ip 172.16.22.6 ---->drop event
c-ip 233.95.14.157----->keep event
But it doesn't work after I used process.
The data still transport to graylog.
I am so exhausted for try more than one week.
Please give me help.