filebeat collects IIS logs into es

Keywords: Linux IIS kafka Windows codec

If you need to collect IIS logs in your work, you can use the filebeat component;

Log format resolution of iis:

Log example:

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2019-03-14 00:00:00
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2019-03-14 00:00:00 10.78.1.205 POST /EWS/Exchange.asmx ;RC:eb8ae63b-0fa6-4335-8595-78e3237566cd;Init>>Conn:0,HangingConn:0,AD:30000/30000/0%,CAS:54000/54000/0%,AB:30000/30000/0%,RPC:36000/36000/0%,FC:1000/0,Policy:DefaultThrottlingPolicy_ad9fd210-3d2c-4f73-968c-d5ca7a72dfd0,Norm,Sub:5000/0;SoapAction=GetUserOofSettingsResponse;MailboxRPCRequests=9;MailboxRPCLatency=0;ADRequests=2;ADLatency=0;TimeInGetUserOOFSettings=37;[C]Queues:0msec/Execute:31.2msec;End(46.8ms)>>Conn:1,HangingConn:0,AD:30000/30000/0%,CAS:54000/53954/1%,AB:30000/30000/0%,RPC:36000/36000/0%,FC:1000/0,Policy:DefaultThrottlingPolicy_ad9fd210-3d2c-4f73-968c-d5ca7a72dfd0,Norm[Resources:(Mdb)SADV(Health:-1%,HistLoad:0),],Sub:5000/0; 443 STAPLESCN\SH102247 10.78.9.29 Microsoft+Office/16.0+(Windows+NT+6.1;+Microsoft+Outlook+16.0.4738;+Pro) 200 0 0 124
2019-03-14 00:00:02 10.78.1.205 POST /ews/exchange.asmx - 443 - 10.78.1.208 MS-WebServices/1.0 401 0 0 31

Parse the above logs:

%{TIMESTAMP_ISO8601:log_timestamp} (%{IPORHOST:s_ip}|-) (%{WORD:cs_method}|-) %{NOTSPACE:cs_uri_stem} (%{NOTSPACE:cs_uri_query}|-) (%{NUMBER:s_port}|-) %{NOTSPACE:cs_username} (%{IPORHOST:c_ip}|-) %{NOTSPACE:cs_useragent} (%{NUMBER:sc_status}|-) (%{NUMBER:sc_substatus}|-) (%{NUMBER:sc_win32_status}|-) (%{NUMBER:time_taken}|-)

The configuration content of filebeat in windows is output to kafka:

filebeat.inputs:
- type: log
  paths:
    - C:\inetpub\logs\LogFiles\W3SVC1\*
  #ignore_older: 2h
  exclude_lines: ['^#']
  tags: ["iis-206"]
  fields:
    type: "iis"
    log_topic: "iis"
  fields_under_root: true

output.kafka:
  enabled: true
  hosts: ["10.78.1.85:9092","10.78.1.87:9092","10.78.1.71:9092"]
  topic: "%{[log_topic]}"
  partition.round_robin:
    reachable_only: true
  worker: 2
  required_acks: 1
  compression: gzip
  max_message_bytes: 10000000


logstash reads the log from kafka and parses it:

input {
    kafka {
        bootstrap_servers => "10.78.1.85:9092,10.78.1.87:9092,10.78.1.71:9092"
        topics => ["iis"]
        codec => "json"
    }
}

filter {
    grok {
        match => ["message","%{TIMESTAMP_ISO8601:log_timestamp} (%{IPORHOST:s_ip}|-) (%{WORD:cs_method}|-) %{NOTSPACE:cs_uri_stem} (%{NOTSPACE:cs_uri_query}|-) (%{NUMBER:s_port}|-) %{NOTSPACE:cs_username} (%{IPORHOST:c_ip}|-) %{NOTSPACE:cs_useragent} (%{NUMBER:sc_status}|-) (%{NUMBER:sc_substatus}|-) (%{NUMBER:sc_win32_status}|-) (%{NUMBER:time_taken}|-)"]
    }
    date {
            match => ["log_timestamp","yyyy-MM-dd HH:mm:ss"]
            #timezone => "Asia/Shanghai"
            timezone => "+00:00"
            target => "@timestamp"
    }
    mutate {
        remove_field => ["@version","beat","message","log_timestamp"]
    }
}
output {
    if [type] == "iis" {
        #if [tags][0] == "iis" {
            elasticsearch {
                hosts  => ["10.10.5.78:9200","10.10.5.79:9200","10.10.5.80:9200"]
                index  => "iis-%{+YYYY.MM.dd}"
            }
            #stdout { codec=> rubydebug }
        #}
    }
}

About time zone:

The time recorded in the default time format of IIS is 8 hours later than the system time, which makes it difficult for IIS to record the correct time. It is recommended to use Logstash to directly increase the time during parsing;

Add: timezone = > "+ 00:00" to the data in the filter section





Posted by timc37 on Mon, 02 Dec 2019 20:29:53 -0800