40-iis-filter.conf

filter {

  #ignore log comments
  if [message] =~ "^#" {
    drop {}
  }


  grok {
    # check that fields match the IIS log settings
    match => [
    "message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}",
    "message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:query} %{NUMBER:port} - %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NOTSPACE:referer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"
    ]
  }

  #Set the Event Timestamp from the log
        date {
    match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
          timezone => "Etc/UCT"
  }


  useragent {
        source=> "useragent"
        prefix=> "browser"
  }

  mutate {
        remove_field => [ "log_timestamp"]
  }

  geoip {
      source => "clienthost"
    }
        translate {
      field => "response"
      destination => "response"
      override => true
      dictionary => [ "100", "100 Continue",
                      "101", "101 Switching protocols",
                      "200", "200 OK",
                      "201", "201 Created",
                      "202", "202 Accepted",
                      "203", "203 Non-authoritative information",
                      "204", "204 No content",
                      "205", "205 Reset content",
                      "206", "206 Partial content",
                      "207", "207 Multi-Status",
                      "301", "301 Moved Permanently",
                      "302", "302 Object moved",
                      "304", "304 Not modified",
                      "307", "307 Temporary redirect",
                      "400", "400 Bad request",
                      "401", "401 Access denied",
                      "403", "403 Forbidden",
                      "404", "404 Not found",
                      "405", "405 Method not allowed",
                      "406", "406 Client browser does not accept the MIME type of the requested page",
                      "407", "407 Proxy authentication required",
                      "412", "412 Precondition failed",
                      "413", "413 Request entity too large",
                      "414", "414 Request-URI too long",
                      "415", "415 Unsupported media type",
                      "416", "416 Requested range not satisfiable",
                      "417", "417 Execution failed",
                      "423", "423 Locked error",
                      "500", "500 Internal server error",
                      "501", "501 Header values specify a configuration that is not implemented",
                      "502", "502 Web server received an invalid response while acting as a gateway or proxy",
                      "503", "503 Service unavailable",
                      "504", "504 Gateway timeout",
                      "505", "505 HTTP version not supported"
                      ]
    }
}