If you would like to use a different logging format for error or access logs, you can create your own parser to use instead of using ours, and still be able to use dashboards and searches from this package. We recommend duplicating our parser and then making your modifications to the new parser duplication.

If you are unsure of the field order of your IIS logs and by implication you are unsure which field names to keep in your parser, check the very beginning of the IIS log file as one of the very first lines describes the field order.

Here is an example of what to look for:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

The only requirements are that the fields in the tables below are present, and that the error and access logs get tagged as such. To tag the data, your parser should add a field to each log event, like so:

| logtype := "iis-access-log"

| logtype := "iis-error-log"

For each log type respectively, and then configure the parser to use this field as a tag see Event Tags. These are the fields the package is currently expecting access logs to contain: