Configure Elasticsearch and filebeat for index Microsoft Internet Information Services (IIS) logs in Ingest mode.
The configuration discussed in this article is for direct sending of IIs Logs via Filebeat to Elasticsearch servers in “ingest” mode, without intermediaries. If you use Logstash you may find the Template and grok filter used in Pipeline useful but the configuration will be different for Logstash.
First we need an Elasticsearch and Kibana running. We are going to see how configure filebeats and necessary pipelines and templates for Internet Information Server.
Required config for IIS
In IIS we need only config log properties for log all fields (select all fields) and in W3C format. It is very important for config to work. All templates and pipelines in this post are configured for this IIS log config.
Attention. Attached at the end of this post there is a zip file with all configuration files.