Filebeat module apache2 no see website name in log

Hello,

I have set filebeat module apache2 on all servers. I can see the log in kibana web app, but I can't see the vhost name....

If I check in default.json apache2 module in filebeat dir , I see this:

description": "Pipeline for parsing Apache2 access logs. Requires the geoip and user_agent plugins.",
"processors": [{
"grok": {
"field": "message",
"patterns":[
"%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \[%{HTTPDATE:apache2.access.time}\] "%{WORD:apache2.access.method} %{DATA:apache2.access.url} HTTP/%{NUMBER:apache2.access.http_version}" %{NUMBER:apache2.access.response_code} (?:%{NUMBER:apache2.access.body_sent.bytes}|-)( "%{DATA:apache2.access.referrer}")?( "%{DATA:apache2.access.agent}")?",
"%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \[%{HTTPDATE:apache2.access.time}\] "-" %{NUMBER:apache2.access.response_code} -"
],
"ignore_missing": true

but I don't see any vars contains the website name for example here's from the same server where filebeat and apache module installed:

VHOSTNAME:80 213.118.6.201 - - [09/Aug/2017:10:33:35 +0200] "GET /sites/default/files/styles/other_menus/public/menu/1024-483-wok_0.jpg?itok=y_RDu-90 HTTP/1.1" 200 11838 "http://VHOSTNAME/nl/het-menu/brasserie" "Mozilla/5.0 (Linux; Android 7.0; SM-A510F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36"

why I can't see VHOSTNAME in cabana log????? I have web server with multi site, how can I know for which website is the log????

The grok pattern used by the module matches the apache common log format and the apache combined log format IIRC.

In order to know which vhost the log is associated with you could customize the grok pattern to parse the leading vhost name. Or you could configure each of your <VirtualHost>s to write their own log file using a CustomLog directive.

This topic was automatically closed after 21 days. New replies are no longer allowed.