### Add to new NLS INPUTS section ###
tcp {
    type => 'IIS_requests'
    tags => 'IIS_requests'
    port => 5142
    codec => json
}

### Add to new NLS FILTER section ####
if [type] == 'IIS_Requests' {
  grok {
    match => ['message', '%{DATESTAMP:timestamp} %{IPORHOST:hostip} %{WORD:method} %{URIPATH:request} (?:%{NOTSPACE:param}|-) %{NUMBER:port} (?:%{USER:username}|-) %{IPORHOST:clientip} (?:%{NOTSPACE:agent}|-) - %{NUMBER:response} %{NUMBER:status} %{NUMBER:sub-status} %{NUMBER:time-taken}']
  }
  date {
    match => ["timestamp", "yyyy-MM-dd HH:mm:ss"]
  }
  geoip {
    source => "c-ip"
  }    
}