Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
logstash config for parsing IIS maximal logging
#tested using http://grokdebug.herokuapp.com/
input {
tcp {
type => "iis"
port => 3333
}
}
filter {
grep {
type => "iis"
match => ["@message", "^#"]
negate => true
}
grok {
type => "iis"
pattern => "%{DATESTAMP:EventTime} %{WORD:sitename} %{HOSTNAME:computername} %{IP:hostip} %{URIPROTO:method} %{URIPATH:request} (?:%{NOTSPACE:queryparam}|-) %{NUMBER:port} (?:%{WORD:username}|-) %{IP:clientip} %{NOTSPACE:httpversion} %{NOTSPACE:user-agent} (?:%{NOTSPACE:cookie}|-) (?:%{NOTSPACE:referer}|-) (?:%{HOSTNAME:host}|-) %{NUMBER:status} %{NUMBER:sub-status} %{NUMBER:win32-status} %{NUMBER:bytes-received} %{NUMBER:bytes-sent} %{NUMBER:time-taken}"
}
date {
type => "iis"
EventTime => "yyyy-MM-dd HH:mm:ss"
}
}
output {
elasticsearch {
# Setting 'embedded' will run a real elasticsearch server inside logstash.
# This option below saves you from having to run a separate process just
# for ElasticSearch, so you can get started quicker!
embedded => true
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment