ELK分析IIS日志

 

LogStash.conf

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

input {   file {     type => "iis_log"     path => ["C:/inetpub/logs/LogFiles/W3SVC2/u_ex*.log"]   } } filter {   #ignore log comments   if [message] =~ "^#" {     drop {}   }     grok {     # check that fields match your IIS log settings     match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} (%{IPORHOST:s-ip}|-) (%{WORD:cs-method}|-) %{NOTSPACE:cs-uri-stem} %{NOTSPACE:cs-uri-query} (%{NUMBER:s-port}|-) (%{NOTSPACE:c-username}|-) (%{IPORHOST:c-ip}|-) %{NOTSPACE:cs-useragent} (%{NUMBER:sc-status}|-) (%{NUMBER:sc-win32-status}|-) (%{NUMBER:time-taken}|-)"]   }   #Set the Event Timesteamp from the log     date {         match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]         timezone => "Etc/UCT"         }   mutate {             remove_field => [ "log_timestamp"]             convert => [ "sc-bytes", "float" ]             convert => [ "cs-bytes", "float" ]             convert => [ "time-taken", "float" ]         }         mutate {     remove_field => [ "log_timestamp"]     convert => [ "sc-bytes", "float" ]     convert => [ "cs-bytes", "float" ]     convert => [ "time-taken", "float" ]   }   } output {   stdout {codec => rubydebug }     elasticsearch {         hosts => ["localhost:9200"]         index => "logstash-%{type}-%{+YYYY.MM.dd}"         flush_size => 20000         idle_flush_time => 10         template_overwrite => true     }   redis {     host => '127.0.0.1'     data_type => 'list'     key => 'logstash:redis'   } }