ELK分析IIS日志

LogStash.conf

input {
  file {
    type => "iis_log"
    path => ["C:/inetpub/logs/LogFiles/W3SVC2/u_ex*.log"]
  }
}
filter {
  #ignore log comments
  if [message] =~ "^#" {
    drop {}
  }

  grok {
    # check that fields match your IIS log settings
    match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} (%{IPORHOST:s-ip}|-) (%{WORD:cs-method}|-) %{NOTSPACE:cs-uri-stem} %{NOTSPACE:cs-uri-query} (%{NUMBER:s-port}|-) (%{NOTSPACE:c-username}|-) (%{IPORHOST:c-ip}|-) %{NOTSPACE:cs-useragent} (%{NUMBER:sc-status}|-) (%{NUMBER:sc-win32-status}|-) (%{NUMBER:time-taken}|-)"]
  }
  #Set the Event Timesteamp from the log
	date {
		match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
		timezone => "Etc/UCT"
		}
  mutate {
			remove_field => [ "log_timestamp"]
			convert => [ "sc-bytes", "float" ]
			convert => [ "cs-bytes", "float" ]
			convert => [ "time-taken", "float" ]
		}
    
  mutate {
    remove_field => [ "log_timestamp"]
	convert => [ "sc-bytes", "float" ]
    convert => [ "cs-bytes", "float" ]
    convert => [ "time-taken", "float" ]
  }

}
output {
  stdout {codec => rubydebug }
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "logstash-%{type}-%{+YYYY.MM.dd}"
		flush_size => 20000
        idle_flush_time => 10
        template_overwrite => true
    }
  redis {
    host => '127.0.0.1'
    data_type => 'list'
    key => 'logstash:redis'
  }
}

posted @ 2017-01-04 17:37 霍旭东阅读(814) 评论(3) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

Look Into Coding

君子性非异也，善假于物也

ELK分析IIS日志

公告