Start your 14-day free trial today & Get 20% Off All Annual Managed ELK Plans

No Credit Card Required

Try Logit.io Free

Already have an account? Sign In

backBack to Search
Send data via IIS to your Logstash instance provided by Logit.io

IIS Log Configuration

Ship logs from your IIS Websites to Logstash

Configure Filebeat to ship logs from IIS applications to Logstash and Elasticsearch.

Step 1 - Install FilebeatCopy

deb (Debian/Ubuntu/Mint)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.8.1-amd64.deb
sudo dpkg -i filebeat-oss-7.8.1-amd64.deb

rpm (CentOS/RHEL/Fedora)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.8.1-x86_64.rpm
sudo rpm -vi filebeat-oss-7.8.1-x86_64.rpm

macOS

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.8.1-darwin-x86_64.tar.gz
tar xzvf filebeat-oss-7.8.1-darwin-x86_64.tar.gz

Windows

  • Download the filebeat Windows zip file from the official downloads page.
  • Extract the contents of the zip file into C:\Program Files.
  • Rename the filebeat-<version>-windows directory to filebeat.
  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
  • Run the following commands to install filebeat as a Windows service:
cd 'C:\Program Files\filebeat'
.\install-service-filebeat.ps1
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1.
My OS isn't here! Don't see your system? Check out the official downloads page for more options (including 32-bit versions).

Step 2 - Enable IIS module in FilebeatCopy

We need to enable the IIS module in Filebeat so that filebeat know to look for IIS logs. In Powershell run the following command:

.\Filebeat modules enable iis

Additional module configuration can be done using the per module config files located in the modules.d folder, most commonly this would be to read logs from a non-default location

win <EXTRACTED_ARCHIVE>/modules.d/

Step 3 - Locate Configuration FileCopy

deb/rpm /etc/filebeat/filebeat.yml

Step 4 - Configure outputCopy

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

output.logstash:
    hosts: ["your-logstash-host:your-ssl-port"]
    loadbalance: true
    ssl.enabled: true

Step 5 - Validate configurationCopy

Let's check the configuration file is syntactically correct by running filebeat directly inside the terminal. If the file is invalid, filebeat will print an error loading config file error message with details on how to correct the problem.

deb/rpm

sudo filebeat -e -c /etc/filebeat/filebeat.yml

macOS

cd <EXTRACTED_ARCHIVE>
./filebeat -e -c filebeat.yml

Windows

cd <EXTRACTED_ARCHIVE>
.\filebeat.exe -e -c filebeat.yml

Step 6 - (Optional) Update Logstash FiltersCopy

All Logit stacks come pre-configured with popular Logstash filters. We would recommend that you add IIS specific filters if you don't already have them, to ensure enhanced dashboards and modules work correctly.

Edit your Logstash filters by choosing Stack > Settings > Logstash Filters

if [fileset][module] == "iis" {
  if [fileset][name] == "access" {
    grok {
      match => {
          "message" => [
            "%{TIMESTAMP_ISO8601:[iis][access][time]} %{IPORHOST:[iis][access][server_ip]} %{WORD:[iis][access][method]} %{URIPATHWITHBRACKET:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} %{NOTSPACE:[iis][access][agent]} %{NOTSPACE:[iis][access][referrer]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][request_time_ms]}",
            "%{TIMESTAMP_ISO8601:[iis][access][time]} %{NOTSPACE:[iis][access][site_name]} %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} %{NOTSPACE:[iis][access][agent]} %{NOTSPACE:[iis][access][cookie]} %{NOTSPACE:[iis][access][referrer]} %{NOTSPACE:[iis][access][hostname]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][body_sent][bytes]} %{NUMBER:[iis][access][body_received][bytes]} %{NUMBER:[iis][access][request_time_ms]}",
            "%{TIMESTAMP_ISO8601:[iis][access][time]} %{NOTSPACE:[iis][access][site_name]} %{NOTSPACE:[iis][access][server_name]} %{IPORHOST:[iis][access][server_ip]} %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} HTTP/%{NUMBER:[iis][access][http_version]} %{NOTSPACE:[iis][access][agent]} %{NOTSPACE:[iis][access][cookie]} %{NOTSPACE:[iis][access][referrer]} %{NOTSPACE:[iis][access][hostname]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][body_sent][bytes]} %{NUMBER:[iis][access][body_received][bytes]} %{NUMBER:[iis][access][request_time_ms]}",
            "%{TIMESTAMP_ISO8601:[iis][access][time]} \[%{IPORHOST:[iis][access][server_ip]}\]\(http://%{IPORHOST:[iis][access][server_ip]}\) %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} \[%{IPORHOST:[iis][access][remote_ip]}\]\(http://%{IPORHOST:[iis][access][remote_ip]}\) %{NOTSPACE:[iis][access][agent]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][request_time_ms]}",
            "%{TIMESTAMP_ISO8601:[iis][access][time]} %{IPORHOST:[iis][access][server_ip]} %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} %{NOTSPACE:[iis][access][agent]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][request_time_ms]}"
          ]
      }
      pattern_definitions => {
          "URIPATHWITHBRACKET" => "(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%&_\-\[\]]*)+"
      }
    }
    mutate {
      rename => {
          "@timestamp" => "read_timestamp"
      }
    }
    date {
      match => [
          "[iis][access][time]",
          "yyyy-MM-dd HH:mm:ss"
      ]
      target => "@timestamp"
    }
    mutate {
      rename => {
          "[iis][access][agent]" => "[iis][access][user_agent][original]"
      }
    }
    grok {
      match => {
          "iis.access.remote_ip" => "%{NOZONEIP:[iis][access][remote_ip_geoip]}"
      }
      pattern_definitions => {
          "NOZONEIP" => "[^%]*"
      }
    }
    geoip {
      source => "[iis][access][remote_ip_geoip]"
      target => "[iis][access][geoip]"
    }
  }
  else if [fileset][name] == "error" {
    grok {
      match => {
          "message" => "%{TIMESTAMP_ISO8601:[iis][error][time]} %{IPORHOST:[iis][error][remote_ip]} %{NUMBER:[iis][error][remote_port]} %{IPORHOST:[iis][error][server_ip]} %{IPORHOST:[iis][error][server_port]} (?:HTTP/%{NUMBER:[iis][error][http_version]}|-) (?:%{WORD:iis.error.method}|-) (?:%{URIPATHPARAM:iis.error.url}|-)(?: -)? (?:%{NUMBER:iis.error.response_code}|-) (?:%{NUMBER}|-) (?:%{NOTSPACE:iis.error.reason_phrase}|-) (?:%{NOTSPACE:iis.error.queue_name}|-)"
      }
    }
    mutate {
      rename => {
          "@timestamp" => "read_timestamp"
      }
    }
    date {
      match => [
          "[iis][error][time]",
          "yyyy-MM-dd HH:mm:ss"
      ]
      target => "@timestamp"
    }
    grok {
      match => {
          "iis.error.remote_ip" => "%{NOZONEIP:[iis][error][remote_ip_geoip]}"
      }
      pattern_definitions => {
          "NOZONEIP" => "[^%]*"
      }
    }
    geoip {
      source => "[iis][error][remote_ip_geoip]"
      target => "[iis][error][geoip]"
    }
  }
}
}

Step 7 - Start FilebeatCopy

Now we need to start the Filebeat service. In powershell run the following command:

Start-Service filebeat

Step 8 - IIS Logging OverviewCopy

Applications developed for .NET can be hosted on an IIS (Internet Information Services) web server which can only be used on the Windows operating system. IIS is commonly used to host web apps & static sites running on ASP.Net.

IIS is known for its high flexibility & rich features. The most recent version of IIS includes a number of out of the box security features including request filters, client certificate mapping & URL authorisation.

Modules for the latest version of IIS can be added as extensions to your configuration if required to process requests. These include modules for security, compression, content & caching which all hold a wealth of unique features essential to server administration teams.

Remote management is also included as part of the server’s functionality making it an ideal choice for DevOps teams undertaking remote work.

All of this server activity generates a huge amount of log data for analysis. Our IIS log file analyser can be used to centralise your data & set up alerts to monitor your application security in real-time as well as deliver metrics for Kibana visualisations & reports easily.

If you need any further assistance with analysing your IIS logs we're here to help you get started. Feel free to reach out by contacting our support team by visiting our dedicate Help Centre or via live chat & we'll be happy to assist.

Toggle View

Expand View

Return to Search