nmische/debug.conf

## debug.conf
input {
  tcp {
    type => "iis_advanced_full"
    port => 3333
  }
}

filter {
  grok {
    type => "iis_advanced_full"
    pattern => "(?:-|\"%{IP:x_forwarded_for}\") %{NUMBER:sc_win32_status} (?:-|%{NONNEGINT:w3wp-privatebytes}) (?:-|%{DATA:username}) (?:-|\"%{DATA:agent}\") %{URIPATHPARAM:request} (?:-|%{DATA:querysting}) %{TIME:time} %{TIME:time_local} %{NUMBER:time_taken_ms} %{INT:sc_substatus} %{INT:status} (?:-|\"%{IPORHOST:s_sitename}\") %{IP:s_ip} %{POSINT:s_port} \"%{DATA:s_computername}\" (?:-|%{NUMBER:requestspersecond}) (?:-|\"%{URI:cs_referrer}\") (?:-|\"%{DATA:s_proxy}\") (?:-|\"%{DATA:cs_version}\") (?:-|\"%{DATA:c_protocol}\") (?:-|%{WORD:cs_method}) (?:-|\"%{IPORHOST:cs_host}\") %{TIMESTAMP_ISO8601:endrequest_utc} %{DATE_EU:date} %{DATE_EU:date_local} (?:-|%{NUMBER:cpu_utilization}) (?:-|\"%{DATA:cs_cookie}\") (?:-|\"%{DATA:s_contentpath}\") %{IP:c_ip} %{NUMBER:sc_bytes} %{NUMBER:cs_bytes} %{TIMESTAMP_ISO8601:timestamp}"

  }

  mutate {
    gsub => [
      "timestamp", "(.*) (.*)", "\1 \2 +0000"
    ]
  }

  date {
    type => "iis_advanced_full"
    # Try to pull the timestamp from the 'timestamp' field (parsed above with
    # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
    timestamp => "yyyy-MM-dd kk:mm:ss.SSS Z"
  }
}

output {

  # Use stdout in debug mode again to see what logstash makes of the event.
  stdout {
    debug => true
    debug_format => "json"
  }

  elasticsearch {
    # Setting 'embedded' will run  a real elasticsearch server inside logstash.
    # This option below saves you from having to run a separate process just
    # for ElasticSearch, so you can get started quicker!
    embedded => true
  }

}
	input {
	tcp {
	type => "iis_advanced_full"
	port => 3333
	}
	}

	filter {
	grok {
	type => "iis_advanced_full"
	pattern => "(?:-\|\"%{IP:x_forwarded_for}\") %{NUMBER:sc_win32_status} (?:-\|%{NONNEGINT:w3wp-privatebytes}) (?:-\|%{DATA:username}) (?:-\|\"%{DATA:agent}\") %{URIPATHPARAM:request} (?:-\|%{DATA:querysting}) %{TIME:time} %{TIME:time_local} %{NUMBER:time_taken_ms} %{INT:sc_substatus} %{INT:status} (?:-\|\"%{IPORHOST:s_sitename}\") %{IP:s_ip} %{POSINT:s_port} \"%{DATA:s_computername}\" (?:-\|%{NUMBER:requestspersecond}) (?:-\|\"%{URI:cs_referrer}\") (?:-\|\"%{DATA:s_proxy}\") (?:-\|\"%{DATA:cs_version}\") (?:-\|\"%{DATA:c_protocol}\") (?:-\|%{WORD:cs_method}) (?:-\|\"%{IPORHOST:cs_host}\") %{TIMESTAMP_ISO8601:endrequest_utc} %{DATE_EU:date} %{DATE_EU:date_local} (?:-\|%{NUMBER:cpu_utilization}) (?:-\|\"%{DATA:cs_cookie}\") (?:-\|\"%{DATA:s_contentpath}\") %{IP:c_ip} %{NUMBER:sc_bytes} %{NUMBER:cs_bytes} %{TIMESTAMP_ISO8601:timestamp}"

	}

	mutate {
	gsub => [
	"timestamp", "(.) (.)", "\1 \2 +0000"
	]
	}

	date {
	type => "iis_advanced_full"
	# Try to pull the timestamp from the 'timestamp' field (parsed above with
	# grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
	timestamp => "yyyy-MM-dd kk:mm:ss.SSS Z"
	}
	}

	output {

	# Use stdout in debug mode again to see what logstash makes of the event.
	stdout {
	debug => true
	debug_format => "json"
	}

	elasticsearch {
	# Setting 'embedded' will run a real elasticsearch server inside logstash.
	# This option below saves you from having to run a separate process just
	# for ElasticSearch, so you can get started quicker!
	embedded => true
	}

	}