philhagen
commented
3 years ago I handled this by extending the ident detection to include DOMAIN/user and DOMAIN\user formats. I verified that an existing grok that includes the referer matches your sample.
Updated IIS parser to cover logs produced by an Exchange Server. Also includes an update to the 'ident' parameter to account for a Windows-based user account that occurs in IIS logs on an Exchange Server.