LogStash.conf
input {
file {
type => "iis_log"
path => ["C:/inetpub/logs/LogFiles/W3SVC2/u_ex*.log"]
}
}
filter {
#ignore log comments
if [message] =~ "^#" {
drop {}
}
grok {
# check that fields match your IIS log settings
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} (%{IPORHOST:s-ip}|-) (%{WORD:cs-method}|-) %{NOTSPACE:cs-uri-stem} %{NOTSPACE:cs-uri-query} (%{NUMBER:s-port}|-) (%{NOTSPACE:c-username}|-) (%{IPORHOST:c-ip}|-) %{NOTSPACE:cs-useragent} (%{NUMBER:sc-status}|-) (%{NUMBER:sc-win32-status}|-) (%{NUMBER:time-taken}|-)"]
}
#Set the Event Timesteamp from the log
date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UCT"
}
mutate {
remove_field => [ "log_timestamp"]
convert => [ "sc-bytes", "float" ]
convert => [ "cs-bytes", "float" ]
convert => [ "time-taken", "float" ]
}
mutate {
remove_field => [ "log_timestamp"]
convert => [ "sc-bytes", "float" ]
convert => [ "cs-bytes", "float" ]
convert => [ "time-taken", "float" ]
}
}
output {
stdout {codec => rubydebug }
elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
flush_size => 20000
idle_flush_time => 10
template_overwrite => true
}
redis {
host => '127.0.0.1'
data_type => 'list'
key => 'logstash:redis'
}
}