Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Here's an IIS log filter example for you

https://support.nagios.com/forum/viewtopic.php?t=29873

Page 2 of 2

Re: Here's an IIS log filter example for you

Posted: Tue Nov 04, 2014 10:30 am
by lgroschen
vAJ,

Just curious, but does the 'tags' row have a _grokparsefailure on your logs that you have already received?

Re: Here's an IIS log filter example for you

Posted: Tue Nov 04, 2014 11:01 am
by vAJ
Just getting back in the office from some time off. Looks like it started working late Friday, but not right away when I made the change. I'm now seeing separate IIS, Apache, Event and Syslog data.

I think we're good.

For record-keeping, here's my final filter:

Code: Select all

if [SourceModuleName] == 'iis_log1' {
    grok {
        match => ["message", "%{TIMESTAMP_ISO8601:logtime} %{IP:host_ip} %{URIPROTO:method} %{URIPATH:path} (?:-|%{NOTSPACE:uri_query}sern) %{NUMBER:port} %{NOTSPACE:username} %{IP:client_ip} %{NOTSPACE:useragent} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:timetaken}"]
    } 
    mutate {
        replace => [ 'type', 'iis_log' ]
     }
}

Re: Here's an IIS log filter example for you

Posted: Tue Nov 04, 2014 11:27 am
by lgroschen
Excellent. Glad it's working how you want it, locking this post.

/Luke
All times are UTC-05:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited