Here's an IIS log filter example for you

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
User avatar
lgroschen
Posts: 384
Joined: Wed Nov 27, 2013 1:17 pm

Re: Here's an IIS log filter example for you

Post by lgroschen »

vAJ,

Just curious, but does the 'tags' row have a _grokparsefailure on your logs that you have already received?
/Luke
Top
vAJ
Posts: 456
Joined: Thu Nov 08, 2012 5:09 pm
Location: Austin, TX

Re: Here's an IIS log filter example for you

Post by vAJ »

Just getting back in the office from some time off. Looks like it started working late Friday, but not right away when I made the change. I'm now seeing separate IIS, Apache, Event and Syslog data.

I think we're good.

For record-keeping, here's my final filter:

Code: Select all

if [SourceModuleName] == 'iis_log1' {
    grok {
        match => ["message", "%{TIMESTAMP_ISO8601:logtime} %{IP:host_ip} %{URIPROTO:method} %{URIPATH:path} (?:-|%{NOTSPACE:uri_query}sern) %{NUMBER:port} %{NOTSPACE:username} %{IP:client_ip} %{NOTSPACE:useragent} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:timetaken}"]
    } 
    mutate {
        replace => [ 'type', 'iis_log' ]
     }
}
Andrew J. - Do you even grok?
Top
User avatar
lgroschen
Posts: 384
Joined: Wed Nov 27, 2013 1:17 pm

Re: Here's an IIS log filter example for you

Post by lgroschen »

Excellent. Glad it's working how you want it, locking this post.

/Luke
/Luke
Top
Locked

Return to “Nagios Log Server”