Hello everyone, I can't find the error on logstash using grok filter.
My config file:
input
{
file
{
type => "iis"
path => "C:/inetpub/logs/LogFiles/AdvancedLogs/*.log"
}
}
filter
{
if [message] =~ "^#"
{
drop {}
}
grok
{
patterns_dir => ["/patterns"]
match =>
{
"message" =>
["
%{IPORHOST:X-Forwarded-For}
%{NUMBER:sc-status}
%{WORD:s-sitename}
%{NOTSPACE:s-proxy}
%{WORD:cs-method}
%{IP:c-ip}
%{NOTSPACE:s-contentpath}
%{TIMESTAMP_ISO8601:date-local}
%{IPORHOST:cs(Host)}
%{WORD:c-protocol}
%{NOTSPACE:cs-version}
%{NOTSPACE:cs(Referer)}
%{NOTSPACE:s-computername}
%{NUMBER:s-port}
%{IP:s-ip}
%{NOTSPACE:cs-uri-query}
%{URIPATH:cs-uri-stem}
%{NOTSPACE:cs(User-Agent)}
%{NOTSPACE:cs-username}
%{IP:c-ip}
"]
}
}
date
{
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UTC"
}
useragent
{
source=> "useragent"
prefix=> "browser"
}
mutate
{
remove_field => [ "log_timestamp"]
}
}
output
{
stdout { codec => rubydebug }
}
Log sample:
"10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4" 200 "SITE.COM.BR" "1.1 siteproxy01.cvc.com.br (squid)" GET 172.16.60.254 "D:\inetpub\SITE\angular-animate.js" 2018-01-02 "www.site.com.br" "http" "HTTP/1.0" "http://www.site.com.br/teste/index.aspx" "SVRWEB02" 80 10.1.1.5 v=20171222 /SITE/angular/angular-animate.js "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" - -
Even if I remove ALL grok filters, leave only one... the same error "_grokparsefailure"
Can anyone help?