Getting _grokparsefailure exception while parsing customized Apache logs

Elastic Stack Logstash
1

Getting exception: _grokparsefailure, while parsing customized Apache logs through Grok filter. It works perfectly fine with Grok debugger.

Example of customized Apache log:

quartz.texas.st.com:10001 10.10.10.10 - - [16/Jul/2018:17:13:48 -0700] + "GET /notification/Response/validate HTTP/1.1" 405 18 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 13849 0
quartz.texas.st.com:10101 10.10.10.10 - - [18/Jul/2018:00:00:20 -0700] + "POST /notification/request/validate HTTP/1.1" 200 430 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 1187025 1

logstash-apache.conf

input {
beats {
port => 5044
}
}

filter {
if [type] == "log" {
grok {
match => [ "message" , "%{NOTSPACE:VirtualHost} %{HOSTNAME:client_ip} %{USER:user} %{USER:auth} [%{HTTPDATE:apache_timestamp}] %{NOTSPACE:connection_status} "%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}" %{NUMBER:server_response} %{NUMBER:size_of_response} %{NOTSPACE:protocol} %{NOTSPACE:ssl_cipher} %{NUMBER:time_taken_microsec} %{NUMBER:time_taken_sec} " ]
}
}
}

output {
elasticsearch {
hosts => "http://10.10.10.10:9200"
index => "qc_apache"
}
stdout { codec => rubydebug }
}

2

You have a trailing space at the end of the grok pattern which is preventing it matching.

1 Like
3

you can construct your patterns here and check whether it is matching before using in the logstash an easy way to find out whether the logs are correctly parsing in logstash

http://grokconstructor.appspot.com/do/constructionstep

1 Like
4

Perfect! Its working fine now after removing the space.
Thank you so much for your help.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.