iis-web.conf

input {
  file {
    type => "iis-weblogs"
    start_position => "beginning"
    path => "/W3SVC1/u_ex*.log"
  }
}
filter {
  if ([message] =~ /^#/) {
    drop { }
    }
  if [type] == "iis-weblogs" {
    csv {
      columns => ["date","time","s-ip","cs-method","cs-uri-stem","cs-uri-query","s-port","cs-username","c-ip","cs(User-Agent)","sc-status","sc-substatus","sc-win32-status","time-taken"]
      separator => " "
      remove_field => [ "sc-win32-status" ]
      remove_field => [ "sc-substatus" ]
      remove_field => [ "message" ]
    }
    mutate {
      replace => [ "date", "%{date} %{time}" ]
      remove_field => [ "time" ]
    }
    date {
      match => [ "date", "YYYY-MM-DD HH:mm:ss" ]
      target => [ "datetime"]
      remove_field => [ "date" ]
    }
    geoip {
      source => "s-ip"
    } 
  } 
}
output {
  elasticsearch {
    embedded => true
    index => "iis-weblogs"
  }
}