Hi I am very new in logstash and ELK, can some one help me to create proper string in the logstash config file to index some fields?
Example:
"<134>Jan 30 20:25:51 haproxy[8265]: 192.168.1.10:57176 [30/Jan/2020:20:25:50.490] minio~ dev4_cluster/minioh1 83/0/0/534/617 200 360 - - ---- 5/5/3/4/0 0/0 "PUT /mybucket/12?partNumber=75&uploadId=b8c9037f-b0d3-4040-943a-f73af52b890a HTTP/1.1"\n",
The fields that'd probably be the most useful to me are:
%ci (client IP)
%B (status code)
%r (http request)
Below is the existing string in the conf file, can additional string be added to that and what that will be?
if [type] == "qumulo" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:syslog_timestamp} %{HOSTNAME:q_server} %{WORD:q_service} - - - %{IPV4:q_client_ip},"%{DATA:q_client_user}",%{WORD:q_protocol},%{DATA:q_fs_operation},%{WORD:q_status},(%{POSINT:q_file_id})?,"%{DATA:q_file_path}","%{DATA:q_secondary_file_path}"" }
the default HAProxy http log format is being used:
"%ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ \ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r"
Thx
Julian