/iis-parse.config
Last active Jan 8, 2017
logstash config for parsing IIS maximal logging
| #tested using http://grokdebug.herokuapp.com/ | |
| input { | |
| tcp { | |
| type => "iis" | |
| port => 3333 | |
| } | |
| } | |
| filter { | |
| grep { | |
| type => "iis" | |
| match => ["@message", "^#"] | |
| negate => true | |
| } | |
| grok { | |
| type => "iis" | |
| pattern => "%{DATESTAMP:EventTime} %{WORD:sitename} %{HOSTNAME:computername} %{IP:hostip} %{URIPROTO:method} %{URIPATH:request} (?:%{NOTSPACE:queryparam}|-) %{NUMBER:port} (?:%{WORD:username}|-) %{IP:clientip} %{NOTSPACE:httpversion} %{NOTSPACE:user-agent} (?:%{NOTSPACE:cookie}|-) (?:%{NOTSPACE:referer}|-) (?:%{HOSTNAME:host}|-) %{NUMBER:status} %{NUMBER:sub-status} %{NUMBER:win32-status} %{NUMBER:bytes-received} %{NUMBER:bytes-sent} %{NUMBER:time-taken}" | |
| } | |
| date { | |
| type => "iis" | |
| EventTime => "yyyy-MM-dd HH:mm:ss" | |
| } | |
| } | |
| output { | |
| elasticsearch { | |
| # Setting 'embedded' will run a real elasticsearch server inside logstash. | |
| # This option below saves you from having to run a separate process just | |
| # for ElasticSearch, so you can get started quicker! | |
| embedded => true | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment