Step 1 - Install Filebeat

Windows

  • Download the Filebeat Windows zip file from the official downloads page.

  • Extract the contents of the zip file into C:\Program Files.

  • Rename the filebeat-<version>-windows directory to Filebeat.

  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.

  • Run the following commands to install Filebeat as a Windows service:

    cd 'C:\Program Files\Filebeat' .\install-service-filebeat.ps1

      If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1
Step 2 - Locate the configuration file

Open C:\Program Files\Filebeat\filebeat.yml

Step 3 - Enable IIS module in Filebeat

We need to enable the IIS module in Filebeat so that filebeat know to look for IIS logs. In Powershell run the following command:

.\Filebeat modules enable iis

Step 4 - Configure output

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

output.logstash:
    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true
Step 5 - Update your logstash filters (Optional)

All Logit stacks come pre-configured with popular Logstash filters. We would recommend that you add IIS specific filters if you don't already have them, to ensure enhanced dashboards and modules work correctly.

Edit your Logstash filters by choosing Stack > Settings > Logstash Filters

if [fileset][module] == "iis" {
  if [fileset][name] == "access" {
    grok {
      match => {
          "message" => [
            "%{TIMESTAMP_ISO8601:[iis][access][time]} %{IPORHOST:[iis][access][server_ip]} %{WORD:[iis][access][method]} %{URIPATHWITHBRACKET:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} %{NOTSPACE:[iis][access][agent]} %{NOTSPACE:[iis][access][referrer]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][request_time_ms]}",
            "%{TIMESTAMP_ISO8601:[iis][access][time]} %{NOTSPACE:[iis][access][site_name]} %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} %{NOTSPACE:[iis][access][agent]} %{NOTSPACE:[iis][access][cookie]} %{NOTSPACE:[iis][access][referrer]} %{NOTSPACE:[iis][access][hostname]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][body_sent][bytes]} %{NUMBER:[iis][access][body_received][bytes]} %{NUMBER:[iis][access][request_time_ms]}",
            "%{TIMESTAMP_ISO8601:[iis][access][time]} %{NOTSPACE:[iis][access][site_name]} %{NOTSPACE:[iis][access][server_name]} %{IPORHOST:[iis][access][server_ip]} %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} HTTP/%{NUMBER:[iis][access][http_version]} %{NOTSPACE:[iis][access][agent]} %{NOTSPACE:[iis][access][cookie]} %{NOTSPACE:[iis][access][referrer]} %{NOTSPACE:[iis][access][hostname]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][body_sent][bytes]} %{NUMBER:[iis][access][body_received][bytes]} %{NUMBER:[iis][access][request_time_ms]}",
            "%{TIMESTAMP_ISO8601:[iis][access][time]} \[%{IPORHOST:[iis][access][server_ip]}\]\(http://%{IPORHOST:[iis][access][server_ip]}\) %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} \[%{IPORHOST:[iis][access][remote_ip]}\]\(http://%{IPORHOST:[iis][access][remote_ip]}\) %{NOTSPACE:[iis][access][agent]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][request_time_ms]}",
            "%{TIMESTAMP_ISO8601:[iis][access][time]} %{IPORHOST:[iis][access][server_ip]} %{WORD:[iis][access][method]} %{URIPATH:[iis][access][url]} %{NOTSPACE:[iis][access][query_string]} %{NUMBER:[iis][access][port]} %{NOTSPACE:[iis][access][user_name]} %{IPORHOST:[iis][access][remote_ip]} %{NOTSPACE:[iis][access][agent]} %{NUMBER:[iis][access][response_code]} %{NUMBER:[iis][access][sub_status]} %{NUMBER:[iis][access][win32_status]} %{NUMBER:[iis][access][request_time_ms]}"
          ]
      }
      pattern_definitions => {
          "URIPATHWITHBRACKET" => "(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%&_\-\[\]]*)+"
      }
    }
    mutate {
      rename => {
          "@timestamp" => "read_timestamp"
      }
    }
    date {
      match => [
          "[iis][access][time]",
          "yyyy-MM-dd HH:mm:ss"
      ]
      target => "@timestamp"
    }
    mutate {
      rename => {
          "[iis][access][agent]" => "[iis][access][user_agent][original]"
      }
    }
    grok {
      match => {
          "iis.access.remote_ip" => "%{NOZONEIP:[iis][access][remote_ip_geoip]}"
      }
      pattern_definitions => {
          "NOZONEIP" => "[^%]*"
      }
    }
    geoip {
      source => "[iis][access][remote_ip_geoip]"
      target => "[iis][access][geoip]"
    }
  }
  else if [fileset][name] == "error" {
    grok {
      match => {
          "message" => "%{TIMESTAMP_ISO8601:[iis][error][time]} %{IPORHOST:[iis][error][remote_ip]} %{NUMBER:[iis][error][remote_port]} %{IPORHOST:[iis][error][server_ip]} %{IPORHOST:[iis][error][server_port]} (?:HTTP/%{NUMBER:[iis][error][http_version]}|-) (?:%{WORD:iis.error.method}|-) (?:%{URIPATHPARAM:iis.error.url}|-)(?: -)? (?:%{NUMBER:iis.error.response_code}|-) (?:%{NUMBER}|-) (?:%{NOTSPACE:iis.error.reason_phrase}|-) (?:%{NOTSPACE:iis.error.queue_name}|-)"
      }
    }
    mutate {
      rename => {
          "@timestamp" => "read_timestamp"
      }
    }
    date {
      match => [
          "[iis][error][time]",
          "yyyy-MM-dd HH:mm:ss"
      ]
      target => "@timestamp"
    }
    grok {
      match => {
          "iis.error.remote_ip" => "%{NOZONEIP:[iis][error][remote_ip_geoip]}"
      }
      pattern_definitions => {
          "NOZONEIP" => "[^%]*"
      }
    }
    geoip {
      source => "[iis][error][remote_ip_geoip]"
      target => "[iis][error][geoip]"
    }
  }
}
}
Step 6 - Validate configuration

Let's check the configuration file is syntactically correct.

Run from the extracted archive dir:

filebeat -e -c filebeat.yml

Step 7 - Start filebeat

Now we need to start the Filebeat service. In powershell run the following command:

Start-Service filebeat

Ready to get going?

Try our 14 day free trial

No commitment and no catches

Create Free Trial