Can't filter Input on Filter Logstash


(Tat Dat Pham) #1

Hi, i try to install filebeat on web server with config

filebeat:
prospectors:
-
paths:

  • /var/log/nginx/access.log
    input_type: nginx-access-2
    logstash:
    hosts: ["10.1.11.171:5044"]
    index: filebeat-kibana-srv

And i try to using filter on Logstash with Patterns nginx

NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:clientip} %{NGUSER:ident} %{NGUSER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response}  (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{QS:referrer}) %{QS:agent} %{QS:xforwardedfor} %{IPORHOST:host} %{BASE10NUM:request_duration}

And add new file config filter-nginx-access-2.conf

filter {
if [type] == "nginx-access-2" {
grok {
match => { "message" => "%{NGINXACCESS}" }
}
}
}

and this is file config beat with logstash

input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => "10.1.11.173:9200"
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

When i try to view log on kibana :

http://www.upsieutoc.com/images/2015/12/19/log.png

In this image, filter not working ???
Can you help me explain that ?

Thanks


(system) #2