Iis – Splunk: How Do I Extract Fields from W3C Extended Format

iislog-filesloggingsplunk

I'm trying to configure Splunk to properly parse the fields of the W3C log format.

Now, I'm running into configuration confusion: where and how do I specify how to split up the log format?

My Inputs.conf looks like this:

[monitor://C:\WINDOWS\system32\LogFiles\W3SVC98989898]
disabled = false
host = mywebsite.net
sourcetype = iis

I tried adding this to my sourcetypes.conf:

[iis_w3c_default]
DELIMS = " "
FIELDS = "date", "time", "cs-method", "cs-uri-stem", "cs-uri-query", "cs-username", "c-ip", "cs-version", "cs(User-Agent)", "cs(Referer)", "sc-status", "sc-bytes"

But using ths as a sourcetype failed to extract any meaningful fields.

I guess I just don't grasp everything that Splunk is doing…

Once i have this working, I plan on reindexing all of my data with the new fields (which will be an ordeal in-and-of-itself).

I really, really want to like Splunk but configuration is just too wonky…

Best Answer

You can filter the lines beginning with a # using a transform.

In props.conf (you can just add the extra line below your existing setup):

[iis_w3c_default]
TRANSFORMS-blacklist-hash = iis_blacklist_hash

In transforms.conf:

[iis_blacklist_hash]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

Related Solutions

PCAP Files – How to Read PCAP Files in a Friendly Format

Wireshark is probably the best, but if you want/need to look at the payload without loading up a GUI you can use the -X or -A options

tcpdump -qns 0 -X -r serverfault_request.pcap

14:28:33.800865 IP 10.2.4.243.41997 > 69.59.196.212.80: tcp 1097
        0x0000:  4500 047d b9c4 4000 4006 63b2 0a02 04f3  E..}..@.@.c.....
        0x0010:  453b c4d4 a40d 0050 f0d4 4747 f847 3ad5  E;.....P..GG.G:.
        0x0020:  8018 f8e0 1d74 0000 0101 080a 0425 4e6d  .....t.......%Nm
        0x0030:  0382 68a1 4745 5420 2f71 7565 7374 696f  ..h.GET./questio
        0x0040:  6e73 2048 5454 502f 312e 310d 0a48 6f73  ns.HTTP/1.1..Hos
        0x0050:  743a 2073 6572 7665 7266 6175 6c74 2e63  t:.serverfault.c
        0x0060:  6f6d 0d0a 5573 6572 2d41 6765 6e74 3a20  om..User-Agent:.
        0x0070:  4d6f 7a69 6c6c 612f 352e 3020 2858 3131  Mozilla/5.0.(X11
        0x0080:  3b20 553b 204c 696e 7578 2069 3638 363b  ;.U;.Linux.i686;

tcpdump -qns 0 -A -r serverfault_request.pcap

14:29:33.256929 IP 10.2.4.243.41997 > 69.59.196.212.80: tcp 1097
E..}..@.@.c.
...E;...^M.P..^w.G.......t.....
.%.}..l.GET /questions HTTP/1.1
Host: serverfault.com

There are many other tools for reading and getting stats, extracting payloads and so on. A quick look on the number of things that depend on libpcap in the debian package repository gives a list of 50+ tools that can be used to slice, dice, view, and manipulate captures in various ways.

For example.

Format of the log file format for splunk

You can index either the whole directory, or use wildcards to select the appropriate files.

In your case, [monitor://var/logs/catalina.*.log] should work correctly.

Best Answer

Related Solutions

PCAP Files – How to Read PCAP Files in a Friendly Format

Format of the log file format for splunk

Related Topic