Created
January 15, 2016 05:58
-
-
Save rebornix/f2dd3cd8bfaca14f40a9 to your computer and use it in GitHub Desktop.
Logstash configuration for IIS log.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| type => "IISLog" | |
| path => "C:/inetpub/logs/LogFiles/W3SVC*/*.log" | |
| start_position => "beginning" | |
| } | |
| } | |
| filter { | |
| # ignore log comments | |
| if [message] =~ "^#" { | |
| drop {} | |
| } | |
| # check that fields match your IIS log settings | |
| grok { | |
| match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} (%{URI:referer})? %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"] | |
| } | |
| # set the event timestamp from the log | |
| # https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html | |
| date { | |
| match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ] | |
| timezone => "Etc/UCT" | |
| } | |
| # matches the big, long nasty useragent string to the actual browser name, version, etc | |
| # https://www.elastic.co/guide/en/logstash/current/plugins-filters-useragent.html | |
| useragent { | |
| source=> "useragent" | |
| prefix=> "browser_" | |
| } | |
| mutate { | |
| remove_field => [ "log_timestamp"] | |
| } | |
| } | |
| # output logs to console and to elasticsearch | |
| output { | |
| stdout { codec => rubydebug } | |
| elasticsearch { hosts => ["localhost:9200"] } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment