0

I have IIS failedlog xml files and i am trying to read,parse and send to ES but my LS do not send anything.

I could not find any solution. Thx for your helps.

input {
      file {
        path => "C:\Users\name\Desktop\Log2\WebApplication2\*.xml"

      }
    }

filter {    
  xml {
    source => "message"
    store_xml => false
    target => "target"
    xpath => ["/failedRequest/_url/@text", "clasification"]
    remove_field => "message"
  }
}

filter {    
  mutate{add_field=>{"class"=>"%{target}"}}
}

output {
    elasticsearch {
        hosts => "localhost:9200"
        index=>"logfromstash"
    }   
}

I edited the xml tree IIS is using freb.xsl , is that can cause an error ?

object{1}
       failedRequest{16}
       Event[161]
_xmlns:freb :   http://schemas.microsoft.com/win/2006/06/iis/freb
_url    :   https://localhost:44324/api/employee/14
_siteId :   2
_appPoolId  :   Clr4IntegratedAppPool
_processId  :   8240
_verb   :   GET
_remoteUserName :   
_userName   :   
_tokenUserName  :   name
_authenticationType :   anonymous
_activityId :   {800000B5-0002-F900-B63F-84710C7967BB}
_failureReason  :   STATUS_CODE
_statusCode :   200
_triggerStatusCode  :   200
_timeTaken  :   47
codeKyu
  • 1
  • 1
  • Please include your xml log. – Ed Bangga Aug 06 '19 at 07:29
  • Try to use backslashes in your path configuration `path => "C:/Users/name/Desktop/Log2/WebApplication2/*.xml"` – leandrojmp Aug 06 '19 at 10:55
  • Logstash remembers where it has stopped when reading a file, so if Logstash has already read a file and no more lines had been appended to it, Logstash won't do anything. See https://stackoverflow.com/a/25119894/6113627 for a solution. Also adding a stdout output is useful in that case to check if events reach the outputs. – baudsp Aug 06 '19 at 11:41
  • @baudsp i did what you say but did not change anything – codeKyu Aug 06 '19 at 12:51
  • 1
    Please share the output of your logstash – C.med Aug 06 '19 at 14:42

0 Answers0