WolfangAukang · January 26, 2018 20:02
diff --git a/iis_logs_grok_pattern.conf b/iis_logs_grok_pattern.conf
 #Based on fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
 #More info on https://stackify.com/how-to-interpret-iis-logs/

 IISDATETIME %{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}
 IISLOGS %{IISDATETIME:timestamp} (-|%{IP:server_ip}) (-|%{WORD:method}) (-|%{NOTSPACE:uri_stem}) (-|%{NOTSPACE:uri_query}) (-|%{NUMBER:server_port}) (-|%{WORD:service_name}) (-|%{IP:client_ip}) (-|%{NOTSPACE:agent}) (-|%{NOTSPACE:referrer}) (-|%{NUMBER:status}) (-|%{NUMBER:sub_status}) (-|%{NUMBER:win32_status}) (-|%{NUMBER:seconds_taken})
	#Based on fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
	#More info on https://stackify.com/how-to-interpret-iis-logs/

	IISDATETIME %{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}
	IISLOGS %{IISDATETIME:timestamp} (-\|%{IP:server_ip}) (-\|%{WORD:method}) (-\|%{NOTSPACE:uri_stem}) (-\|%{NOTSPACE:uri_query}) (-\|%{NUMBER:server_port}) (-\|%{WORD:service_name}) (-\|%{IP:client_ip}) (-\|%{NOTSPACE:agent}) (-\|%{NOTSPACE:referrer}) (-\|%{NUMBER:status}) (-\|%{NUMBER:sub_status}) (-\|%{NUMBER:win32_status}) (-\|%{NUMBER:seconds_taken})