Hi
I tried to get the pattern for apache error timestamp but all failed
The timestamp is used in elasticsearch is when it is indexed not the time of the error
e.g.
[Sun Feb 05 00:32:24.992868 2017] [mpm_winnt:notice] [pid 8776:tid 168] AH00354: Child: Starting 150 worker threads., Child: Starting 150 worker threads
and when I search for timestamp in the index pattern I find this:
Multiple timestamp with different types: date and string
###########################################################
This is the logstash config filter part
###########################################################
filter {
if [type] == "syslog"
{
mutate { add_tag => "syslog_tag" }
grok
{
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date
{
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
#The winlogbeat send it as wineventlog and logstash put it automatically in winlogevent index
No need for special configuration here
####################################################################################
if [type] == "wineventlog"
{
grok
{
match => { "TimeCreated", "Date(%{NUMBER:timestamp})" }
}
date
{
match => [ "timestamp", "UNIX_MS" ]
}
}
####################################################################################
if [type] == "apache_access"
{
grok
{
match => { "message" => ["%{COMBINEDAPACHELOG}", "%{IPORHOST:clientip} %{NOTSPACE:ident} %{NOTSPACE:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion}))" %{NOTSPACE:response} (?:%{NOTSPACE:bytes})" ] }
}
date
{
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
if [type] == "apache_error"
{
grok
{
match => { "message" => "[(?%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})] [%{WORD:module}:%{LOGLEVEL:loglevel}] [pid %{NUMBER:pid}:tid %{NUMBER:tid}]( (%{POSINT:proxy_errorcode})%{DATA:proxy_errormessage}:)?( [client %{IPORHOST:client}:%{POSINT:clientport}])? %{DATA:errorcode}: %{GREEDYDATA:message}" }
}
date
{
match => [ "timestamp" , "EEE MMM dd HH:mm:ssssss yyyy" ]
}
}
if [type] == "apache_sslrequest"
{
grok
{
match => { "message" => "[%{HTTPDATE:timestamp}] %{IPORHOST:client} %{NOTSPACE:protocol} %{NOTSPACE:cipher} "(%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" }
}
date
{
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
}