Logstash 以下IIS服务器日志的Grok模式是什么？_Logstash_Logstash Grok_Logstash Configuration

Logstash 以下IIS服务器日志的Grok模式是什么？

logstash

Logstash 以下IIS服务器日志的Grok模式是什么？,logstash,logstash-grok,logstash-configuration,Logstash,Logstash Grok,Logstash Configuration,我有以下IIS服务器日志：- 2018-09-16 06:19:25 W3SVC10 webserver 107.6.166.194 GET /axestrack/homepagedata/ uname=satish5633&pwd=5633&panelid=1 80 - 117.225.237.56 HTTP/1.1 Dalvik/2.1.0+(Linux;+U;+Android+6.0.1;+vivo+1606+Build/MMB29M) - - vehicletrack.b

我有以下IIS服务器日志：-

2018-09-16 06:19:25 W3SVC10 webserver 107.6.166.194 GET /axestrack/homepagedata/ uname=satish5633&pwd=5633&panelid=1 80 - 117.225.237.56 HTTP/1.1 Dalvik/2.1.0+(Linux;+U;+Android+6.0.1;+vivo+1606+Build/MMB29M) - - vehicletrack.biz 200 0 0 883 224 4

我尝试了以下几点：-

%{TIMESTAMP_ISO8601:logtime} %{WORD:s-sitename} %{WORD:s-computername} %{IPORHOST:s-ip} %{WORD:cs-method

API_NAME : /axestrack/homepagedata/
API_PARAMETRES : uname=satish5633&pwd=5633&panelid=1
PORT : 80
CS-USERNAME : -(Can be hyphen or username)
CLIENT-IP : 117.225.237.56

但在cs方法之后，我不知道如何编写grok模式来提取剩余字段。如何为以下内容编写Grok模式：-

%{TIMESTAMP_ISO8601:logtime} %{WORD:s-sitename} %{WORD:s-computername} %{IPORHOST:s-ip} %{WORD:cs-method

API_NAME : /axestrack/homepagedata/
API_PARAMETRES : uname=satish5633&pwd=5633&panelid=1
PORT : 80
CS-USERNAME : -(Can be hyphen or username)
CLIENT-IP : 117.225.237.56

试试这个：

%{TIMESTAMP_ISO8601:logtime} %{WORD:s-sitename} %{WORD:s-computername} %{IPORHOST:s-ip} %{WORD:cs-method} %{URIPATH:API_NAME} %{NOTSPACE:API_PARAMETRES} %{NUMBER:PORT} %{NOTSPACE:CS_USERNAME} %{IPORHOST:CLIENT_IP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:cookie} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timeTaken}