Extending Parsers for Custom Logs
If you would like to use a different logging format for error or access logs, you can create your own parser to use instead of using ours, and still be able to use dashboards and searches from this package.
The only requirements are that the fields in the tables below are present, and that the error and access logs get tagged as such. To tag the data, your parser should add a field to each log event, like so:
| logtype := "iis-access-log"| logtype := "iis-error-log"For each log type respectively, and then configure the parser to use this field as a tag see Event Tags. These are the fields the package is currently expecting access logs to contain:
Table: Access Log Mapping
| Parser Field | Format String |
|---|---|
| @timestamp | date, time |
| s_sitename | s-sitename |
| s_computername | s-computername |
| s_ip | s-ip |
| cs_method | cs-method |
| cs_uri_stem | cs-uri-stem |
| cs_uri_query | cs-uri-query |
| s_port | s-port |
| cs_username | cs-username |
| c_ip | c-ip |
| cs_version | cs-version |
| cs_user_agent | cs(User-Agent |
| cs_cookie | cs(Cookie) |
| cs_referrer | cs(Referrer) |
| cs_host | cs-host |
| sc_status | sc-status |
| sc_substatus | sc-substatus |
| sc_win32_status | sc-win32-status |
| sc_bytes | sc-bytes |
| cs_bytes | cs-bytes |
| time_taken | time-taken |
Table: Error log (HTTPERR) Mapping
| Parser Field | IIS Field |
|---|---|
| @timestamp | date, time |
| c_ip | c-ip |
| c_port | c-port |
| s_ip | s-ip |
| s_port | s-port |
| cs_version | cs-version |
| cs_method | cs-method |
| cs_uri | cs-uri |
| stream_id | streamid |
| cs_status | sc-status |
| site_id | s-siteid |
| reason_phrase | s-reason |
| queue_name | s-queuename |