IIS fields

edit

Module for parsing IIS log files.

iis fields

edit

Fields from IIS log files.

access fields

edit

Contains fields for IIS access logs.

iis.access.server_ip

type: keyword

The server IP address.

iis.access.method

type: keyword

example: GET

The request HTTP method.

iis.access.url

type: keyword

The request HTTP URL.

iis.access.query_string

type: keyword

The request query string, if any.

iis.access.port

type: long

The request port number.

iis.access.user_name

type: keyword

The user name used when basic authentication is used.

iis.access.remote_ip

type: keyword

The client IP address.

iis.access.referrer

type: keyword

The HTTP referrer.

iis.access.response_code

type: long

The HTTP response code.

iis.access.sub_status

type: long

The HTTP substatus code.

iis.access.win32_status

type: long

The Windows status code.

iis.access.request_time_ms

type: long

The request time in milliseconds.

iis.access.site_name

type: keyword

The site name and instance number.

iis.access.server_name

type: keyword

The name of the server on which the log file entry was generated.

iis.access.http_version

type: keyword

The HTTP version.

iis.access.cookie

type: keyword

The content of the cookie sent or received, if any.

iis.access.hostname

type: keyword

The host header name, if any.

iis.access.body_sent.bytes

type: long

format: bytes

The number of bytes of the server response body.

iis.access.body_received.bytes

type: long

format: bytes

The number of bytes of the server request body.

iis.access.agent

type: text

Contains the un-parsed user agent string. Only present if the user agent Elasticsearch plugin is not available or not used.

user_agent fields

edit

Contains the parsed user agent field. Only present if the user agent Elasticsearch plugin is available and used.

iis.access.user_agent.device

type: keyword

The name of the physical device.

iis.access.user_agent.major

type: long

The major version of the user agent.

iis.access.user_agent.minor

type: long

The minor version of the user agent.

iis.access.user_agent.patch

type: keyword

The patch version of the user agent.

iis.access.user_agent.name

type: keyword

example: Chrome

The name of the user agent.

iis.access.user_agent.os

type: keyword

The name of the operating system.

iis.access.user_agent.os_major

type: long

The major version of the operating system.

iis.access.user_agent.os_minor

type: long

The minor version of the operating system.

iis.access.user_agent.os_name

type: keyword

The name of the operating system.

iis.access.user_agent.original

type: text

Original user agent value before parsing by ingest-user-agent plugin.

Field is not indexed.

geoip fields

edit

Contains GeoIP information gathered based on the remote_ip field. Only present if the GeoIP Elasticsearch plugin is available and used.

iis.access.geoip.continent_name

type: keyword

The name of the continent.

iis.access.geoip.country_iso_code

type: keyword

Country ISO code.

iis.access.geoip.location

type: geo_point

The longitude and latitude.

iis.access.geoip.region_name

type: keyword

The region name.

iis.access.geoip.city_name

type: keyword

The city name.

iis.access.geoip.region_iso_code

type: keyword

Region ISO code.

error fields

edit

Contains fields for IIS error logs.

iis.error.remote_ip

type: keyword

The client IP address.

iis.error.remote_port

type: long

The client port number.

iis.error.server_ip

type: keyword

The server IP address.

iis.error.server_port

type: long

The server port number.

iis.error.http_version

type: keyword

The HTTP version.

iis.error.method

type: keyword

example: GET

The request HTTP method.

iis.error.url

type: keyword

The request HTTP URL.

iis.error.response_code

type: long

The HTTP response code.

iis.error.reason_phrase

type: keyword

The HTTP reason phrase.

iis.error.queue_name

type: keyword

The IIS application pool name.

geoip fields

edit

Contains GeoIP information gathered based on the remote_ip field. Only present if the GeoIP Elasticsearch plugin is available and used.

iis.error.geoip.continent_name

type: keyword

The name of the continent.

iis.error.geoip.country_iso_code

type: keyword

Country ISO code.

iis.error.geoip.location

type: geo_point

The longitude and latitude.

iis.error.geoip.region_name

type: keyword

The region name.

iis.error.geoip.city_name

type: keyword

The city name.

iis.error.geoip.region_iso_code

type: keyword

Region ISO code.