# Author: Justin Henderson
#         SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016

filter {
  if [type] == "iis" {
    # The log is expected to have come from NXLog and in JSON format.  This allows for automatic parsing of fields
    json {
      source => "message"
    }
    # This removes the message field as it is unneccesary and tags the packet as web
    mutate {
    #  remove_field => [ "message"]
      add_tag => [ "web" ]
    }
	mutate {
		#add_tag => [ "conf_file_1031"]
	}
  }
}