Logstash.conf
Input {file {type] = "iis_log" Path = = ["C:/inetpub/logs/logfiles/w3svc2/u_ex*.log"]}}filter {#ignore l OG comments If [message] =~ "^#" {drop {}} grok {# Check this fields match your IIS log settings match => ; ["Message", "%{timestamp_iso8601:log_timestamp} (%{iporhost:s-ip}|-) (%{word:cs-method}|-)%{notspace:cs-uri-stem} %{notspace:cs-uri-query} (%{number:s-port}|-) (%{notspace:c-username}|-) (%{iporhost:c-ip}|-)%{NOTSPACE: Cs-useragent} (%{number:sc-status}|-) (%{number:sc-win32-status}|-) (%{number:time-taken}|-) "} #Set the Event Timesteamp from the logdate {match + = ["Log_timestamp", "yyyy-mm-dd HH:mm:ss"]timezone = "etc/uct"} mutate {Remo Ve_field = ["Log_timestamp"]convert = ["Sc-bytes", "float"]convert = ["Cs-bytes", "float"]convert = [ "Time-taken", "float"]} mutate {Remove_field = ["Log_timestamp"]convert = ["Sc-bytes", "float"] C Onvert = ["Cs-bytes", "float"] convert = =["Time-taken", "Float"]}} Output {stdout {codec = Rubydebug} elasticsearch {hosts = ["localhost:9200"] index = "Log Stash-%{type}-%{+yyyy. MM.DD} "flush_size = 20000 Idle_flush_time = Template_overwrite = true} redis {host = > ' 127.0.0.1 ' data_type = ' list ' key = ' Logstash:redis '}
Elk Parsing IIS logs