Menu
I have been looking around here and there, but could not find the working resolution. I try to use Grok Filter inside the Logstash config file to filter Apache-Access log file. The log message looks like this: {"message":"00.00.0.000 - - [dd/mm/YYYY:hh:mm:ii +0000] \"GET /index.html HTTP/1.1\" 200 00"}.
On this moment I could only filter the client ip by using grok { match => [ "message", "%{IP:client_ip}" ] }.
I want to filter:
- The GET method,
- requested page (index.html),
- HTTP/1.1\,
- server response 200
- the last number 00 after 200 inside the message body
Please note that none of these does not work for me :
grok { match => { "message" => "%{COMBINEDAPACHELOG}" } }
or
grok { match => [ "message", "%{COMBINEDAPACHELOG}" ] }
531
Use the Grok Debugger to get an exact match on your log format. Its the only way.
http://grokdebug.herokuapp.com/
78
grok {
match => [ "message", "%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:apache_timestamp}\] \"%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response} " ]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With