rc1021/logstash-w3c.conf

## logstash-w3c.conf
input {
    beats {
        port => "5044"
    }
}

filter {
  ## Ignore the comments that IIS will add to the start of the W3C logs
  #
  if [message] =~ "^#" {
    drop {}
  }

  grok {
    ## Very helpful site for building these statements:
    #   http://grokdebug.herokuapp.com/
    #
    # This is configured to parse out every field of IIS's W3C format when
    #   every field is included in the logs
    #
    match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:serviceName} %{NOTSPACE:serverName} %{IP:serverIP} %{WORD:method} %{NOTSPACE:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken}"]
  }

  ## Set the Event Timesteamp from the log
  #
  date {
    match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
      timezone => "Etc/UTC"
  }
  ## Perform some mutations on the records to prep them for Elastic
  #
  mutate {
    ## Convert some fields from strings to integers
    #
    convert => ["bytesSent", "integer"]
    convert => ["bytesReceived", "integer"]
    convert => ["timetaken", "integer"]

    ## Create a new field for the reverse DNS lookup below
    #
    add_field => { "clientHostname" => "%{clientIP}" }

    ## Finally remove the original log_timestamp field since the event will
    #   have the proper date on it
    #
    remove_field => [ "log_timestamp"]
  }

  ## If the log record has a value for 'bytesSent', then add a new field
  #   to the event that converts it to kilobytes
  #
  if [bytesSent] {
    ruby {
      code => "event.set('kilobytesSent', event.get('bytesSent').to_i / 1024.0)"
    }
  }

  ## Do the same conversion for the bytes received value
  #
  if [bytesReceived] {
    ruby {
      code => "event.set('kilobytesReceived', event.get('bytesReceived').to_i / 1024.0)"
    }
  }

  ## Do a reverse lookup on the client IP to get their hostname.
  #
  dns {
    ## Now that we've copied the clientIP into a new field we can
    #   simply replace it here using a reverse lookup
    #
    action => "replace"
    reverse => ["clientHostname"]
  }

  ## Parse out the user agent
  #
    useragent {
        source=> "useragent"
        prefix=> "browser"
    }

    geoip {
        source => "clientIP"
    }
}

output {
    stdout { codec => rubydebug }
}
	input {
	beats {
	port => "5044"
	}
	}

	filter {
	## Ignore the comments that IIS will add to the start of the W3C logs
	#
	if [message] =~ "^#" {
	drop {}
	}

	grok {
	## Very helpful site for building these statements:
	# http://grokdebug.herokuapp.com/
	#
	# This is configured to parse out every field of IIS's W3C format when
	# every field is included in the logs
	#
	match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:serviceName} %{NOTSPACE:serverName} %{IP:serverIP} %{WORD:method} %{NOTSPACE:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken}"]
	}

	## Set the Event Timesteamp from the log
	#
	date {
	match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
	timezone => "Etc/UTC"
	}
	## Perform some mutations on the records to prep them for Elastic
	#
	mutate {
	## Convert some fields from strings to integers
	#
	convert => ["bytesSent", "integer"]
	convert => ["bytesReceived", "integer"]
	convert => ["timetaken", "integer"]

	## Create a new field for the reverse DNS lookup below
	#
	add_field => { "clientHostname" => "%{clientIP}" }

	## Finally remove the original log_timestamp field since the event will
	# have the proper date on it
	#
	remove_field => [ "log_timestamp"]
	}

	## If the log record has a value for 'bytesSent', then add a new field
	# to the event that converts it to kilobytes
	#
	if [bytesSent] {
	ruby {
	code => "event.set('kilobytesSent', event.get('bytesSent').to_i / 1024.0)"
	}
	}

	## Do the same conversion for the bytes received value
	#
	if [bytesReceived] {
	ruby {
	code => "event.set('kilobytesReceived', event.get('bytesReceived').to_i / 1024.0)"
	}
	}

	## Do a reverse lookup on the client IP to get their hostname.
	#
	dns {
	## Now that we've copied the clientIP into a new field we can
	# simply replace it here using a reverse lookup
	#
	action => "replace"
	reverse => ["clientHostname"]
	}

	## Parse out the user agent
	#
	useragent {
	source=> "useragent"
	prefix=> "browser"
	}

	geoip {
	source => "clientIP"
	}
	}

	output {
	stdout { codec => rubydebug }
	}