input {
  tcp { 
    type => "iis_advanced_full"
    port => 3333
  } 
}

filter {
  grok {
    type => "iis_advanced_full"
    pattern => "(?:-|\"%{IP:x_forwarded_for}\") %{NUMBER:sc_win32_status} (?:-|%{NONNEGINT:w3wp-privatebytes}) (?:-|%{DATA:username}) (?:-|\"%{DATA:agent}\") %{URIPATHPARAM:request} (?:-|%{DATA:querysting}) %{TIME:time} %{TIME:time_local} %{NUMBER:time_taken_ms} %{INT:sc_substatus} %{INT:status} (?:-|\"%{IPORHOST:s_sitename}\") %{IP:s_ip} %{POSINT:s_port} \"%{DATA:s_computername}\" (?:-|%{NUMBER:requestspersecond}) (?:-|\"%{URI:cs_referrer}\") (?:-|\"%{DATA:s_proxy}\") (?:-|\"%{DATA:cs_version}\") (?:-|\"%{DATA:c_protocol}\") (?:-|%{WORD:cs_method}) (?:-|\"%{IPORHOST:cs_host}\") %{TIMESTAMP_ISO8601:endrequest_utc} %{DATE_EU:date} %{DATE_EU:date_local} (?:-|%{NUMBER:cpu_utilization}) (?:-|\"%{DATA:cs_cookie}\") (?:-|\"%{DATA:s_contentpath}\") %{IP:c_ip} %{NUMBER:sc_bytes} %{NUMBER:cs_bytes} %{TIMESTAMP_ISO8601:timestamp}"

  }

  mutate {
    gsub => [
      "timestamp", "(.*) (.*)", "\1 \2 +0000"
    ]
  }

  date {
    type => "iis_advanced_full"
    # Try to pull the timestamp from the 'timestamp' field (parsed above with
    # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
    timestamp => "yyyy-MM-dd kk:mm:ss.SSS Z"
  }
}

output {

  # Use stdout in debug mode again to see what logstash makes of the event.
  stdout {
    debug => true
    debug_format => "json"
  }

  elasticsearch {
    # Setting 'embedded' will run  a real elasticsearch server inside logstash.
    # This option below saves you from having to run a separate process just
    # for ElasticSearch, so you can get started quicker!
    embedded => true
  }

}