Error In Logstash Filter

marcos.vbp · September 4, 2018, 3:11pm

hi,

My log : 172.16.2.211 - - [04/Set/2018:12:09:48 -0300] "GET /lmsa/framebottom.do HTTP/1.1" 200 4858

match => { message => "%{IP:client} %{DATA:USERNAME} %{DATA:USERNAME} [%{DATA:logtime}] " %{WORD:request} %{URIPATHPARAM:path} HTTP/%{NUMBER:versioni} " %{NUMBER:response} %{GREEDYDATA:responseMessage}" }

date{
match => ["logtime","dd/MMM/yyy:HH:mm:ss Z"]
target => "logtime"
}

And before error change too.

{
"host" => "brpoaelk01.mercurio.local",
"path" => [
[0] "/var/log/weblogic/producao/lms01/access.log",
[1] "/lmsa/jsonbroker"
],
"versioni" => "1.1",
"USERNAME" => [
[0] "-",
[1] "-"
],
"client" => "172.16.2.211",
"@timestamp" => 2018-09-03T20:14:33.209Z,
"@version" => "1",
"request" => "POST",
"response" => "200",
"tags" => [
[0] "_dateparsefailure"
],
"message" => "172.16.2.211 - - [03/Set/2018:16:57:30 -0300] "POST /lmsa/jsonbroker HTTP/1.1" 200 958 ",
"type" => "weblogic-access-lms01",
"responseMessage" => "958 ",
"logtime" => "03/Set/2018:16:57:30"
}

I try use COMMONAPACHELOG, but dont work for me.
Any help me pls ?

magnusbaeck · September 4, 2018, 7:50pm

The pattern in your date filter clearly doesn't match what's in the logtime field (the field doesn't have a timezone at the end). Also, the month name is in some language other than English so try setting the date filter's locale option to the name of a locale that matches the language of your month names.

marcos.vbp · September 4, 2018, 8:07pm

Magnus,

new filter :

filter {

grok {
match => { message => "%{IP:client} %{DATA:USERNAME} %{DATA:USERNAME} [%{DATA:logtime}] "%{WORD:request} %{NOTSPACE:path} HTTP/%{NUMBER:versioni}" %{NUMBER:response} %{GREEDYDATA:responseMessage}" }

}
mutate{
#gsub => ["logtime"," -0300",""]
remove_field => [ "message" ]
}

date{
match => ["logtime","dd/MMM/yyy:HH:mm:ss Z"]
target => "logtime"
locale => "en"
timezone => "America/Sao_Paulo"
}

}

new output is :

{
"logtime" => "04/Set/2018:17:13:14 -0300",
"type" => "weblogic-access-lms01",
"path" => [
[0] "/var/log/weblogic/producao/lms01/access.log",
[1] "/lmsa/services/evento/doctoservico/integracaoFedexEntrega/enriqueceOcorrenciaEntrega"
],
"versioni" => "1.1",
"@version" => "1",
"request" => "POST",
"client" => "172.16.2.206",
"USERNAME" => [
[0] "-",
[1] "-"
],
"tags" => [
[0] "_dateparsefailure"
],
"responseMessage" => "0 ",
"response" => "200",
"host" => "brpoaelk01.mercurio.local",
"@timestamp" => 2018-09-04T20:13:15.333Z
}

same error

magnusbaeck · September 4, 2018, 8:26pm

As I said, set the locale option to the language your month names are in. "Set" is not English.

marcos.vbp · September 4, 2018, 8:30pm

Magnus,

I try locale => "pt-BR" or "en" , and error is the same . Sorry i forget said this.

marcos.vbp · September 6, 2018, 6:37pm

Somebody help ?

system · October 4, 2018, 6:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.