Error in IIS module for filebeat.

[syedsfayaz]

@kaiyan-sheng As discussed I have created a ticket for the issue I'm seeing with the filebeat IIS module.

Attached url for reference.

For confirmed bugs, please report:

• Version:7.2
• Operating System:Windows
• Discuss Forum URL: https://discuss.elastic.co/t/seeing-error-in-iis-module/187901/4

[veccsolutions]

My fix for a very similar issue, in the modules\iis\access\ingest\default.json file in the patterns area, replace the URIPATH with NOTSPACE. It fixes a whole bunch of other issues with the url parsing, like when [ and ] are put in there. Burp suite does checks with those and ends up breaking the import for those particular line entries, the error.message property stated that there was no matching Grok expressions.

You will need to update the pipeline in elastic search. For powershell, use something like:
Invoke-WebRequest -uri http://<elasticurl>:9200/_ingest/pipeline/filebeat-7.2.0-iis-access-default -ContentType "application/json" -InFile "default.json" -Method PUT

Worked for me anyways.

Thats not the only issue in the iis module, in the error ingest default json file, there is a destination port that is specified as IPORHOST. It should be NUMBER. %{IPORHOST:destination.port:long} needs to be %{NUMBER:destination.port:long}. I also made the change of (?:%{URIPATHPARAM:url.original}|-)(?: -)? to (?:%{NOTSPACE:url.original}|-)(?: -)?. The URL to update the error one is http://<elasticurl>:9200/_ingest/pipeline/filebeat-7.2.0-iis-error-default