Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parsing problem for iis server log using filebeat v6 #9753

Closed
Demantel2016 opened this issue Dec 21, 2018 · 4 comments · Fixed by #9967
Closed

Parsing problem for iis server log using filebeat v6 #9753

Demantel2016 opened this issue Dec 21, 2018 · 4 comments · Fixed by #9967
Assignees
@kaiyan-sheng
Labels
Filebeat Filebeat module Team:Integrations Label for the Integrations team

Comments

@Demantel2016
Copy link

i have a problem with iis module in filebeat as link below. i disscussed it in elastic disscuss page

https://discuss.elastic.co/t/parsing-problem-for-iis-server-log-using-filebeat-6-3-2/146227

My iis log is

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2018-08-28 18:24:25
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2018-08-28 18:24:25 [10.100.220.70](http://10.100.220.70) GET / - 80 - [10.100.118.31](http://10.100.118.31) Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR[+2.0.50727](tel:+2050727);+.NET+CLR+3.0.30729) 404 4 2 792

and i setup iis module as below

- module: iis
  access:
    enabled: true
    var.paths: ["C:/inetpub/logs/LogFiles/*/*.log"]

  error:
    enabled: true
    var.paths: ["C:/Windows/System32/LogFiles/HTTPERR/*.log"]

I get error in elastic while parsing as Provided grock expression donot match the field value

We found out the problem was my log looks most similar to the IIS grok pattern here:
https://github.com/elastic/beats/blob/master/filebeat/module/iis/access/ingest/default.json#L7

but my log is missing the iis.access.referrer field.

Can you add the new grok pattern with out that field to iis module default.json file ?

Thanks

For confirmed bugs, please report:
@Demantel2016
Copy link
Author

Anybody please help ?

@ruflin
Copy link
Contributor

ruflin commented Dec 27, 2018

@Demantel2016 Any chance you could open a PR with a fix for the grok pattern and and and the example log you share above inside? This would make this quickest to fix.

@ruflin ruflin added module Filebeat Filebeat Team:Integrations Label for the Integrations team labels Dec 27, 2018
@Demantel2016
Copy link
Author

i didn't understand? what do you mean ?

@ruflin
Copy link
Contributor

ruflin commented Jan 7, 2019

Sorry about the abbrevation. By PR I meant a Pull Request on Github: https://help.github.com/articles/about-pull-requests/

@kaiyan-sheng kaiyan-sheng self-assigned this Jan 9, 2019
@kaiyan-sheng kaiyan-sheng mentioned this issue Jan 9, 2019
Merged
@kaiyan-sheng kaiyan-sheng mentioned this issue Jan 11, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kaiyan-sheng kaiyan-sheng

Labels
Filebeat Filebeat module Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add grok pattern support for iis 7.5 log format
3 participants
@ruflin @kaiyan-sheng @Demantel2016