CODEWITHSUNDEEP
logstash-groklogstash-configurationgroklogstash-fileopengrok
Rj1
Rj1

Reputation: 469

What will be Grok Pattern for following IIS logs?

I have following IIS server logs :

2018-09-16 04:11:47 W3SVC10 webserver 107.6.166.194 POST /api/uploadjsontrip - 443 - 203.77.177.176 HTTP/1.1 Java/1.8.0_45 - - vehicletrack.biz 200 0 0 506 872 508

Data Description:

date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

How to write the Grok pattern to extract the value of each column??

I tried following but it did not work.

%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:s-sitename} %{WORD:cs-method} %{URIPATH:cs-uri-stem} %{NOTSPACE:cs-uri-query} %{NUMBER:s-port} %{NOTSPACE:cs-username} %{IPORHOST:c-ip} %{NOTSPACE:cs(User-Agent)} %{NOTSPACE:cs(Cookie)} %{NOTSPACE:cs(Referer)} %{NOTSPACE:cs-host} %{NUMBER:sc-status:int} %{NUMBER:sc-substatus:int} %{NUMBER:sc-win32-status:int} %{NUMBER:sc-bytes:int} %{NUMBER:cs-bytes:int} %{NUMBER:time-taken:int}" ,
"message", "%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:s-sitename} %{WORD:cs-method} %{URIPATH:cs-uri-stem} %{NOTSPACE:cs-uri-query} %{NUMBER:s-port} %{NOTSPACE:cs-username} %{IPORHOST:c-ip} %{NOTSPACE:cs(User-Agent)} %{NOTSPACE:cs(Referer)} %{NUMBER:response:int} %{NUMBER:sc-substatus:int} %{NUMBER:sc-substatus:int} %{NUMBER:time-taken:int}" ,
"message", "%{TIMESTAMP_ISO8601:timestamp} %{WORD:cs-method} %{URIPATH:cs-uri-stem} %{NOTSPACE:cs-post-data} %{NUMBER:s-port} %{IPORHOST:c-ip} HTTP/%{NUMBER:c-http-version} %{NOTSPACE:cs(User-Agent)} %{NOTSPACE:cs(Cookie)} %{NOTSPACE:cs(Referer)} %{NOTSPACE:cs-host} %{NUMBER:sc-status:int} %{NUMBER:sc-bytes:int} %{NUMBER:cs-bytes:int} %{NUMBER:time-taken:int}

Please help me.

Thanks in advance.

Upvotes: 0

Views: 1467

Answers (1)

nitzien
nitzien

Reputation: 1267

This will work for grok line that you have provided. But it may fail near user-agent and cookie depending on data. 

%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:s_sitename} %{WORD:s_computername} %{IPV4:s_ip} %{WORD:cs_method} %{URIPATH:cs_uri_stem} %{DATA:cs_uri_query} %{NUMBER:s_port} - %{IPV4:cs_ip} HTTP/%{NUMBER:cs_vserion} %{NOTSPACE:cs_user_agent} %{NOTSPACE:cs_cookie} (-|%{URI:cs_refrer}) %{IPORHOST:cs_host} %{INT:sc_status} %{INT:sc_substatus} %{INT:sc_win32-status} %{INT:sc_bytes} %{INT:cs_bytes} %{INT:time_taken}

Also, you might find this tool easier to do any grok testing and debugging https://grokdebug.herokuapp.com/

Upvotes: 0

Related Questions