From ff63a013e036da07c8791ee817afb6c113276c9f Mon Sep 17 00:00:00 2001 From: Brian McKinney Date: Wed, 8 Jul 2026 16:50:49 -0500 Subject: [PATCH 1/2] [IIS] Add grok pattern for s-ip + cookie + referer + split-bytes log layout The documented IIS access log field layout at packages/iis/docs/README.md:69 (s-ip, cs(cookie), cs(Referer), sc-bytes, cs-bytes as separate fields) has no matching grok pattern in the ingest pipeline, so any log using this exact layout fails ingestion with a grok/number-conversion error instead of parsing cleanly. Adds the missing pattern (SDH-beats#7343). --- packages/iis/changelog.yml | 5 +++++ .../test/pipeline/test-iis-access-cookie-bytes-split.log | 1 + .../access/elasticsearch/ingest_pipeline/default.yml | 6 ++++++ packages/iis/manifest.yml | 2 +- 4 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-cookie-bytes-split.log diff --git a/packages/iis/changelog.yml b/packages/iis/changelog.yml index b5b6177ff72..b0a6c81a26e 100644 --- a/packages/iis/changelog.yml +++ b/packages/iis/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.24.7" + changes: + - description: Add a grok pattern for access logs using the "s-ip ... cs(cookie) cs(Referer) ... sc-bytes, cs-bytes" documented field layout, which had no matching pattern and failed ingestion. + type: bugfix + link: https://github.com/elastic/integrations/pull/20048 - version: "1.24.6" changes: - description: Update package title and description to improve clarity of use. diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-cookie-bytes-split.log b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-cookie-bytes-split.log new file mode 100644 index 00000000000..86e201431c8 --- /dev/null +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-cookie-bytes-split.log @@ -0,0 +1 @@ +2026-07-06 18:36:16 10.177.11.164 POST /apps/compliance/requirement.aspx RequirementId=1283 443 jdoe@example.com 10.177.2.242 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/120.0.0.0+Safari/537.36 SESSION_ID=e4edcec2803f4301909ba898ec5f3fbb;+DeviceWidth=0;+DeviceHeight=0 https://example.com/apps/compliance/requirement.aspx?RequirementId=1283 200 0 0 20123 36264 597 203.0.113.10 diff --git a/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml index dbb9aaf0719..7277ad1681e 100644 --- a/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml @@ -23,6 +23,12 @@ processors: (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:http.response.body.bytes:long}) (?:-|%{NUMBER:http.request.body.bytes:long}) (?:-|%{NUMBER:_temp_.duration:long})( (?:-|%{IP:network.forwarded_ip}))?' + - '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) + (?:-|%{NOTSPACE:_temp_.url_path}) (?:-|%{NOTSPACE:_temp_.url_query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) + (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:iis.access.cookie}) (?:-|%{NOTSPACE:http.request.referrer}) + (?:-|%{NUMBER:http.response.status_code:long}) (?:-|%{NUMBER:iis.access.sub_status:long}) + (?:-|%{NUMBER:iis.access.win32_status:long}) (?:-|%{NUMBER:http.response.body.bytes:long}) + (?:-|%{NUMBER:http.request.body.bytes:long}) (?:-|%{NUMBER:_temp_.duration:long})( (?:-|%{IP:network.forwarded_ip}))?' - '%{TIMESTAMP_ISO8601:iis.access.time} (?:-|%{IPORHOST:destination.address}) (?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:_temp_.url_path}) (?:-|%{NOTSPACE:_temp_.url_query}) (?:-|%{NUMBER:destination.port:long}) (?:-|%{NOTSPACE:user.name}) (?:-|%{IPORHOST:source.address}) (?:-|%{NOTSPACE:user_agent.original}) (?:-|%{NOTSPACE:http.request.referrer}) diff --git a/packages/iis/manifest.yml b/packages/iis/manifest.yml index ac7d707a8ec..26e18ee8d24 100644 --- a/packages/iis/manifest.yml +++ b/packages/iis/manifest.yml @@ -1,6 +1,6 @@ name: iis title: IIS -version: "1.24.6" +version: "1.24.7" description: Collect access logs, error logs, and performance metrics from IIS on Windows via Elastic Agent. type: integration icons: From 1b347e6d6657edad24eede410683dcc38e916053 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 9 Jul 2026 11:44:13 +0200 Subject: [PATCH 2/2] [IIS] Add generated expected output for cookie/bytes-split pipeline test Adds the missing test-iis-access-cookie-bytes-split.log-expected.json fixture generated via elastic-package test pipeline --generate, which resolves the failing IIS pipeline test. --- ...ccess-cookie-bytes-split.log-expected.json | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-cookie-bytes-split.log-expected.json diff --git a/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-cookie-bytes-split.log-expected.json b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-cookie-bytes-split.log-expected.json new file mode 100644 index 00000000000..7e6415eae42 --- /dev/null +++ b/packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-cookie-bytes-split.log-expected.json @@ -0,0 +1,92 @@ +{ + "expected": [ + { + "@timestamp": "2026-07-06T18:36:16.000Z", + "destination": { + "address": "10.177.11.164", + "ip": "10.177.11.164", + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "web", + "network" + ], + "duration": 597000000, + "kind": "event", + "original": "2026-07-06 18:36:16 10.177.11.164 POST /apps/compliance/requirement.aspx RequirementId=1283 443 jdoe@example.com 10.177.2.242 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/120.0.0.0+Safari/537.36 SESSION_ID=e4edcec2803f4301909ba898ec5f3fbb;+DeviceWidth=0;+DeviceHeight=0 https://example.com/apps/compliance/requirement.aspx?RequirementId=1283 200 0 0 20123 36264 597 203.0.113.10", + "outcome": "success", + "type": [ + "connection" + ] + }, + "http": { + "request": { + "body": { + "bytes": 36264 + }, + "method": "POST", + "referrer": "https://example.com/apps/compliance/requirement.aspx?RequirementId=1283" + }, + "response": { + "body": { + "bytes": 20123 + }, + "status_code": 200 + } + }, + "iis": { + "access": { + "cookie": "SESSION_ID=e4edcec2803f4301909ba898ec5f3fbb;+DeviceWidth=0;+DeviceHeight=0", + "sub_status": 0, + "win32_status": 0 + } + }, + "network": { + "forwarded_ip": "203.0.113.10" + }, + "related": { + "ip": [ + "10.177.2.242", + "10.177.11.164" + ], + "user": [ + "jdoe" + ] + }, + "source": { + "address": "10.177.2.242", + "ip": "10.177.2.242" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "extension": "aspx", + "original": "/apps/compliance/requirement.aspx", + "path": "/apps/compliance/requirement.aspx", + "query": "RequirementId=1283" + }, + "user": { + "domain": "example.com", + "name": "jdoe" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "120.0.0.0" + } + } + ] +}