Filebeat for IIS logs

[Alec Waters]

Hi all,

We've got filebeat exporting IIS logs into logstash, and we can find them on the beats dashboard in Kibana.

What we'd really like is the IIS dashboard shown here: https://www.elastic.co/guide/en/beats/filebeat/6.3/filebeat-module-iis.html

I'm a little reluctant to run "filebeat.exe setup" as described above, because this (https://github.com/Security-Onion-Solutions/security-onion/wiki/Beats) says "To install a Beat, follow the instructions provided for the respective Beat, with the exception of loading the index template, as Security Onion uses its own template file to manage Beats fields."

Has anyone else got filebeat+IIS logs parsing nicely?

Many thanks,
alec

[Alec Waters]

Hi all,

Would I be right in thinking that nginx parsing via beats is set up by default, in that there are index patterns etc for it? If that's right, what would it take to set up the corresponding IIS config?

Many thanks,
alec

[Wes Lambert]

Hi Alec,

If you are looking to bring in IIS logs using Filebeat, you will need to:

(1) Configure Filebeat (filebeat.yml) to look at the IIS log (and output to Logstash/SO) -- make sure to add an exception for FIlebeat on SO using so-allow

Ex:  https://discuss.elastic.co/t/filebeat-logstash-iis-kibana/109232

Or consider using the Filebeat IIS module: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-iis.html

(2) Either create a new/use/modify the existing config for IIS in /etc/logstash/conf.d/ (will likely need to modify, as I have not tested with SO -- if you are modifying or creating a new file, make sure to add/copy into /etc/logstash/custom)

(3) Defined the mappings/data types in the template file that pertains to the index for which to wish to add new fields.

To answer your question in regard to Nginx, I believe there is a module for that in Filebeat as well.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Alec Waters]

Hi Wes,

> (1) Configure Filebeat (filebeat.yml) to look at the IIS log (and output to Logstash/SO) -- make sure to add an exception for FIlebeat on SO using so-allow
Ex: https://discuss.elastic.co/t/filebeat-logstash-iis-kibana/109232
Or consider using the Filebeat IIS module: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-iis.html

Yep, done that - I'm using the IIS module

> (2) Either create a new/use/modify the existing config for IIS in /etc/logstash/conf.d/ (will likely need to modify, as I have not tested with SO -- if you are modifying or creating a new file, make sure to add/copy into /etc/logstash/custom)

Where can I get the existing IIS config from?

> (3) Defined the mappings/data types in the template file that pertains to the index for which to wish to add new fields.

Where can I find out how to do this?

Many thanks,
alec

[Stephen Eaton]

Hi Alex,

Did you have any joy with a IIS config? I have SO ingesting IIS filebeat logs, just need get the fields mapped.

Stephen..