Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- input {
- tcp {
- port => 5544
- type => 'iis'
- }
- file {
- path => 'C:/XXX/IIS/SitefinityLogs/*Error*.log'
- type => 'sitefinity'
- start_position =>'end'
- }
- }
- filter {
- if [type] == 'iis' {
- #ignore log comments
- if [message] =~ "^#" {
- drop {}
- }
- grok {
- # check that fields match your IIS log settings
- match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NOTSPACE:referer} %{IPORHOST:cshost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken} %{IPORHOST:sourceip}"]
- }
- #Set the Event Timesteamp from the log
- date {
- match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
- timezone => "Etc/UTC"
- }
- useragent {
- source=> "useragent"
- prefix=> "browser"
- }
- geoip {
- source => "sourceip"
- target => "geoip"
- add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
- add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
- }
- mutate {
- remove_field => [ "log_timestamp"]
- convert => [ "[geoip][coordinates]", "float" ]
- convert => [ "time_taken", "integer" ]
- convert => [ "response", "integer" ]
- convert => [ "scstatus", "integer" ]
- }
- }
- if [type] == 'sitefinity' {
- multiline {
- # 12/20/2015 06:42:30
- pattern => "^Timestamp: [0-9]{2}/[0-9]{2}/[0-9]{4} ([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]"
- # pattern => '%{TIMESTAMP_SF}'
- what => 'previous'
- negate => true
- }
- }
- }
- output {
- elasticsearch {
- hosts => ["XX.XXX.XXX.XXX:9200", "XXX.XXX.XXX.XXX:9200"]
- user => "logstash"
- password => "XXXXXX"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
