Getting _grokparsefailure exception while parsing customized Apache logs

sm9922 · July 18, 2018, 10:38pm

Getting exception: _grokparsefailure, while parsing customized Apache logs through Grok filter. It works perfectly fine with Grok debugger.

Example of customized Apache log:

quartz.texas.st.com:10001 10.10.10.10 - - [16/Jul/2018:17:13:48 -0700] + "GET /notification/Response/validate HTTP/1.1" 405 18 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 13849 0
quartz.texas.st.com:10101 10.10.10.10 - - [18/Jul/2018:00:00:20 -0700] + "POST /notification/request/validate HTTP/1.1" 200 430 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 1187025 1

logstash-apache.conf

input {
beats {
port => 5044
}
}

filter {
if [type] == "log" {
grok {
match => [ "message" , "%{NOTSPACE:VirtualHost} %{HOSTNAME:client_ip} %{USER:user} %{USER:auth} [%{HTTPDATE:apache_timestamp}] %{NOTSPACE:connection_status} "%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}" %{NUMBER:server_response} %{NUMBER:size_of_response} %{NOTSPACE:protocol} %{NOTSPACE:ssl_cipher} %{NUMBER:time_taken_microsec} %{NUMBER:time_taken_sec} " ]
}
}
}

output {
elasticsearch {
hosts => "http://10.10.10.10:9200"
index => "qc_apache"
}
stdout { codec => rubydebug }
}

Badger · July 18, 2018, 11:00pm

You have a trailing space at the end of the grok pattern which is preventing it matching.

vinu89 · July 20, 2018, 11:15am

you can construct your patterns here and check whether it is matching before using in the logstash an easy way to find out whether the logs are correctly parsing in logstash

http://grokconstructor.appspot.com/do/constructionstep

sm9922 · July 24, 2018, 3:34pm

Perfect! Its working fine now after removing the space.
Thank you so much for your help.

system · August 21, 2018, 3:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.