Extending Parsers for Custom Logs

If you would like to use a different logging format for error or access logs, you can create your own parser to use instead of using ours, and still be able to use dashboards and searches from this package. We recommend duplicating our parser and then making your modifications to the new parser duplication.

If you are unsure of the field order of your IIS logs and by implication you are unsure which field names to keep in your parser, check the very beginning of the IIS log file as one of the very first lines describes the field order.

Here is an example of what to look for:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

The only requirements are that the fields in the tables below are present, and that the error and access logs get tagged as such. To tag the data, your parser should add a field to each log event, like so:

| logtype := "iis-access-log"
| logtype := "iis-error-log"

For each log type respectively, and then configure the parser to use this field as a tag see Event Tags. These are the fields the package is currently expecting access logs to contain:

Table: Access Log Mapping

Parser Field Format String
@timestamp date, time
s_sitename s-sitename
s_computername s-computername
s_ip s-ip
cs_method cs-method
cs_uri_stem cs-uri-stem
cs_uri_query cs-uri-query
s_port s-port
cs_username cs-username
c_ip c-ip
cs_version cs-version
cs_user_agent cs(User-Agent
cs_cookie cs(Cookie)
cs_referrer cs(Referrer)
cs_host cs-host
sc_status sc-status
sc_substatus sc-substatus
sc_win32_status sc-win32-status
sc_bytes sc-bytes
cs_bytes cs-bytes
time_taken time-taken

Table: Error log (HTTPERR) Mapping

Parser Field IIS Field
@timestamp date, time
c_ip c-ip
c_port c-port
s_ip s-ip
s_port s-port
cs_version cs-version
cs_method cs-method
cs_uri cs-uri
stream_id streamid
cs_status sc-status
site_id s-siteid
reason_phrase s-reason
queue_name s-queuename