If you need to collect IIS logs in your work, you can use the filebeat component;
Log format resolution of iis:
Log example:
#Software: Microsoft Internet Information Services 7.5 #Version: 1.0 #Date: 2019-03-14 00:00:00 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 2019-03-14 00:00:00 10.78.1.205 POST /EWS/Exchange.asmx ;RC:eb8ae63b-0fa6-4335-8595-78e3237566cd;Init>>Conn:0,HangingConn:0,AD:30000/30000/0%,CAS:54000/54000/0%,AB:30000/30000/0%,RPC:36000/36000/0%,FC:1000/0,Policy:DefaultThrottlingPolicy_ad9fd210-3d2c-4f73-968c-d5ca7a72dfd0,Norm,Sub:5000/0;SoapAction=GetUserOofSettingsResponse;MailboxRPCRequests=9;MailboxRPCLatency=0;ADRequests=2;ADLatency=0;TimeInGetUserOOFSettings=37;[C]Queues:0msec/Execute:31.2msec;End(46.8ms)>>Conn:1,HangingConn:0,AD:30000/30000/0%,CAS:54000/53954/1%,AB:30000/30000/0%,RPC:36000/36000/0%,FC:1000/0,Policy:DefaultThrottlingPolicy_ad9fd210-3d2c-4f73-968c-d5ca7a72dfd0,Norm[Resources:(Mdb)SADV(Health:-1%,HistLoad:0),],Sub:5000/0; 443 STAPLESCN\SH102247 10.78.9.29 Microsoft+Office/16.0+(Windows+NT+6.1;+Microsoft+Outlook+16.0.4738;+Pro) 200 0 0 124 2019-03-14 00:00:02 10.78.1.205 POST /ews/exchange.asmx - 443 - 10.78.1.208 MS-WebServices/1.0 401 0 0 31
Parse the above logs:
%{TIMESTAMP_ISO8601:log_timestamp} (%{IPORHOST:s_ip}|-) (%{WORD:cs_method}|-) %{NOTSPACE:cs_uri_stem} (%{NOTSPACE:cs_uri_query}|-) (%{NUMBER:s_port}|-) %{NOTSPACE:cs_username} (%{IPORHOST:c_ip}|-) %{NOTSPACE:cs_useragent} (%{NUMBER:sc_status}|-) (%{NUMBER:sc_substatus}|-) (%{NUMBER:sc_win32_status}|-) (%{NUMBER:time_taken}|-)
The configuration content of filebeat in windows is output to kafka:
filebeat.inputs: - type: log paths: - C:\inetpub\logs\LogFiles\W3SVC1\* #ignore_older: 2h exclude_lines: ['^#'] tags: ["iis-206"] fields: type: "iis" log_topic: "iis" fields_under_root: true output.kafka: enabled: true hosts: ["10.78.1.85:9092","10.78.1.87:9092","10.78.1.71:9092"] topic: "%{[log_topic]}" partition.round_robin: reachable_only: true worker: 2 required_acks: 1 compression: gzip max_message_bytes: 10000000
logstash reads the log from kafka and parses it:
input { kafka { bootstrap_servers => "10.78.1.85:9092,10.78.1.87:9092,10.78.1.71:9092" topics => ["iis"] codec => "json" } } filter { grok { match => ["message","%{TIMESTAMP_ISO8601:log_timestamp} (%{IPORHOST:s_ip}|-) (%{WORD:cs_method}|-) %{NOTSPACE:cs_uri_stem} (%{NOTSPACE:cs_uri_query}|-) (%{NUMBER:s_port}|-) %{NOTSPACE:cs_username} (%{IPORHOST:c_ip}|-) %{NOTSPACE:cs_useragent} (%{NUMBER:sc_status}|-) (%{NUMBER:sc_substatus}|-) (%{NUMBER:sc_win32_status}|-) (%{NUMBER:time_taken}|-)"] } date { match => ["log_timestamp","yyyy-MM-dd HH:mm:ss"] #timezone => "Asia/Shanghai" timezone => "+00:00" target => "@timestamp" } mutate { remove_field => ["@version","beat","message","log_timestamp"] } } output { if [type] == "iis" { #if [tags][0] == "iis" { elasticsearch { hosts => ["10.10.5.78:9200","10.10.5.79:9200","10.10.5.80:9200"] index => "iis-%{+YYYY.MM.dd}" } #stdout { codec=> rubydebug } #} } }
About time zone:
The time recorded in the default time format of IIS is 8 hours later than the system time, which makes it difficult for IIS to record the correct time. It is recommended to use Logstash to directly increase the time during parsing;
Add: timezone = > "+ 00:00" to the data in the filter section