Created
September 2, 2019 06:48
-
-
Save rc1021/f2660bad7a3d705794ab07231fc01361 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
input { | |
beats { | |
port => "5044" | |
} | |
} | |
filter { | |
## Ignore the comments that IIS will add to the start of the W3C logs | |
# | |
if [message] =~ "^#" { | |
drop {} | |
} | |
grok { | |
## Very helpful site for building these statements: | |
# http://grokdebug.herokuapp.com/ | |
# | |
# This is configured to parse out every field of IIS's W3C format when | |
# every field is included in the logs | |
# | |
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:serviceName} %{NOTSPACE:serverName} %{IP:serverIP} %{WORD:method} %{NOTSPACE:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken}"] | |
} | |
## Set the Event Timesteamp from the log | |
# | |
date { | |
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ] | |
timezone => "Etc/UTC" | |
} | |
## Perform some mutations on the records to prep them for Elastic | |
# | |
mutate { | |
## Convert some fields from strings to integers | |
# | |
convert => ["bytesSent", "integer"] | |
convert => ["bytesReceived", "integer"] | |
convert => ["timetaken", "integer"] | |
## Create a new field for the reverse DNS lookup below | |
# | |
add_field => { "clientHostname" => "%{clientIP}" } | |
## Finally remove the original log_timestamp field since the event will | |
# have the proper date on it | |
# | |
remove_field => [ "log_timestamp"] | |
} | |
## If the log record has a value for 'bytesSent', then add a new field | |
# to the event that converts it to kilobytes | |
# | |
if [bytesSent] { | |
ruby { | |
code => "event.set('kilobytesSent', event.get('bytesSent').to_i / 1024.0)" | |
} | |
} | |
## Do the same conversion for the bytes received value | |
# | |
if [bytesReceived] { | |
ruby { | |
code => "event.set('kilobytesReceived', event.get('bytesReceived').to_i / 1024.0)" | |
} | |
} | |
## Do a reverse lookup on the client IP to get their hostname. | |
# | |
dns { | |
## Now that we've copied the clientIP into a new field we can | |
# simply replace it here using a reverse lookup | |
# | |
action => "replace" | |
reverse => ["clientHostname"] | |
} | |
## Parse out the user agent | |
# | |
useragent { | |
source=> "useragent" | |
prefix=> "browser" | |
} | |
geoip { | |
source => "clientIP" | |
} | |
} | |
output { | |
stdout { codec => rubydebug } | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment