Access Log Filter

deepakkr407 · November 29, 2017, 9:46am

I am using following filter but this is not fetching response code and timetaken as column in elastic search. Any suggestions?

{ "message" => [ "%{TIMESTAMP_ISO8601:log_timestamp} %{NOTSPACE:s-sitename} %{NOTSPACE:s-computername} %{IPORHOST:s-ip} %{WORD:cs-method} %{URIPATH:cs-uri-stem} %{NOTSPACE:cs-uri-query} %{NUMBER:s-port} %{NOTSPACE:cs-username} %{IPORHOST:c-ip} %{NOTSPACE:cs(User-Agent)} %{NUMBER:sc-status:int} %{NUMBER:sc-substatus:int} %{NUMBER:sc-win32-status:int} %{NUMBER:sc-bytes:int} %{NUMBER:cs-bytes:int} %{NUMBER:time-taken:int}","%{TIMESTAMP_ISO8601:log_timestamp} %{NOTSPACE:s-sitename} %{NOTSPACE:s-computername} %{IPORHOST:s-ip} %{WORD:cs-method} %{URIPATH:cs-uri-stem} %{NOTSPACE:cs-uri-query} %{NUMBER:s-port} %{NOTSPACE:cs-username} %{IPORHOST:c-ip} %{NOTSPACE:cs(User-Agent)} %{NUMBER:response:int} %{NUMBER:sc-substatus:int} %{NUMBER:time-taken:int}","%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:cs-method} %{URIPATH:cs-uri-stem} %{NOTSPACE:cs-uri-query} %{NUMBER:s-port} %{IPORHOST:c-ip} %{NOTSPACE:cs(User-Agent)} %{NUMBER:sc-status:int} %{NUMBER:sc-substatus:int} %{NUMBER:sc-win32-status:int} %{NUMBER:sc-bytes:int} %{NUMBER:cs-bytes:int} %{NUMBER:time-taken:int}" ] }

Logs Pattern

2017-11-04 04:10:49 ABC CDE 168.94.220.121 GET / - 443 - 1.1.1.1 QualysGuard 403 14 0 1461 106 7254

JKhondhu · November 30, 2017, 11:40pm

Hi,
Here is a link on grok basics: https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html#_grok_basics2

http://grokdebug.herokuapp.com and http://grokconstructor.appspot.com/ are useful for helping building patterns to match your logs.

system · December 28, 2017, 11:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.