I am running Logstash 6.1.3, Elasticsearch 6.1.3 and Filebeat 6.1.2
I have a grok pattern that looks like this (notice the fail text in the middle)
grok {
match => { "message" => [ "^%{IPORHOST:clientip} **fail**(?:%{USER:ident}|-) (?:%{USER:auth}|-) \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawr
equest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)" ] }
}
When I read filebeat nginx data and output to stdout, it shows there is an error
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "**_grokparsefailure**",
[2] "_geoip_lookup_failure"
],
But when I send the same output to elasticsearch, _grokparsefailure is missing in the elasticsearch output
Any idea why this is happening?