Hey,

i'v got the problem that i have only one input in to logstash via filebeat but two difrent logfiles, a liferaylog an a apache Acceess_log. i can see that filebeat analyse that two files and send it tp logstash.

INPUT 01-input.conf :
input {
beats {
client_inactivity_timeout => 120
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/test-server.ag.crt"
ssl_key => "/etc/pki/tls/private/test-server.ag.p8"
}
}

FILTER 1 - 02-liferay.conf
filter {
grok {
match => {
"message" => "%{MONTHDAY:day}\s+%{MONTH:month}\s+%{YEAR:year}\s+%{TIME:time}\s+[%{GREEDYDATA:host}]\s+%{LOGLEVEL:loglevel}\s+[(?([-a-zA-Z/_0-9]))][][(?([-a-zA-Z/_0-9:]))]\s+(?(.*))"
}
}
}

INPUT 2 - 03-apache.conf
filter {
grok {
match => {
"message" => "(?(?:[[a-zA-Z0-9-]+]))\s+|\s+%{IP:ip}\s+-\s+-\s+(?([[0-9]{2}/[A-Za-z]/[0-9]:[0-9:]\s++[0-9]]))\s+(?([0-9/]))\s+"(?((GET|DELETE|POST|INSERT|UPDATE)))\s+%{URIPATH:resource}\s+HTTP/%{NUMBER:httpversion}"\s+(?(([0-9])))\s+(?(([0-9])))\s+"(?((([(http)|(https)]:[/][a-zA-Z0-9./-]))))"\s+"(?((.*)))""
}
}
}

OUTPUT 99-ouput.conf
output {
stdout { codec => rubydebug }

    elasticsearch {
            hosts => "localhost:9200"
            index => "logstash-%{+YYYY.MM.dd}"
    }

}

The Problem is that i can't finde the Apache Accesslog in my KIBANA. WHats the problem? Have i to configure to inputs for two different filetypes with a different PORT?

best regards Axel

Hi @Axel_Kruger,

what does your Filebeat config look like? Especially the inputs.

You can use the same port for all logs shipped from Filebeat

Hey A_B,

my FB inputs look like this

#=========================== Filebeat inputs =============================

filebeat.inputs:

Each - is an input. Most options can be set at the input level, so

you can use different inputs for various configurations.

Below are the input specific configurations.

• type: log

  Change to true to enable this input configuration.

  enabled: true

  Paths that should be crawled and fetched. Glob based paths.

  paths:

  - /var/log/messages

  - /var/log/secure

  • /opt/liferay/logs/liferay*.log
  • /opt/httpd/logs/access_log
    #- c:\programdata\elasticsearch\logs*

  Exclude lines. A list of regular expressions to match. It drops the lines that are

  matching any regular expression from the list.

  #exclude_lines: ['^DBG']

  Include lines. A list of regular expressions to match. It exports the lines that are

  matching any regular expression from the list.

  #include_lines: ['^ERR', '^WARN']

  Exclude files. A list of regular expressions to match. Filebeat drops the files that

  are matching any regular expression from the list. By default, no files are dropped.

  #exclude_files: ['.gz$']

  Optional additional fields. These fields can be freely picked

  to add additional information to the crawled log files for filtering

  #fields:

  level: debug

  review: 1

  Multiline options

  Multiline can be used for log messages spanning multiple lines. This is common

  for Java Stack Traces or C-Line Continuation

  The regexp Pattern that has to be matched. The example pattern matches all lines starting with [

  multiline.pattern: '^[[:space:]]+(at|.{3})\b|^Caused by:'

  Defines if the pattern set under pattern should be negated or not. Default is false.

  multiline.negate: false

  Match can be set to "after" or "before". It is used to define if lines should be append to a pattern

  that was (not) matched before or after or as long as a pattern is not matched based on negate.

  Note: After is the equivalent to previous and before is the equivalent to to next in Logstash

  multiline.match: after

  if you will set this max line after these number of multiline all will ignore

  multiline.max_lines: 250

That would be much easier to read if you would use </> from the tools to format it as Preformatted text.

I can't see any mention of Apache logs there.

filebeat.inputs:

• type: log
  enabled: true
  • /opt/liferay/logs/liferay*.log
  • /opt/httpd/logs/access_log

i dont have configure special filebeat apache logs, i only have set the path to the logfiles in the filebeat config.

Right, I should have seen that.

Not sure if you can have two completely separate filter configs, someone else will have to comment on that.

If it is possible to have several filter blocks in the config, then you are trying to grok the message field twice. You would probably want to add if statements and add some fields that you can use for that logic. You can add fields in Filebeat easily.

I have all my filters in one file, inside one filter {}.

@Axel_Kruger @A_B Yes, you can distribute filters across multiple files. logstash will concatenate the files, then start compiling. So, stupid as it might be, if you point a pipeline at directory containing these 4 files, it will work as if all the configuration were in one file, because by the time it starts compiling, effectively it is one file.

a.conf

input {
    generator { count => 1 lines => [ '' ] }
}
filter {

b.conf

    json { source => "message" }
    if [foo] != "bar" {
        mutate {

c.conf

        add_field => {
            "hello" => "world!"
        }
    }

d.conf

    }
}
output {
    stdout { codec => rubydebug { metadata => false } }
}

That said, both grok filters will apply to both types of files, so you will always get _grokparsefailure tags. Also, the patterns are not anchored, so it will be expensive for them to fail, since they will backtrack a lot. The configuration would be a lot cheaper if they were anchored to beginning of line with ^

"message" => "^%{MONTHDAY:day}\s+%{MONTH:month}\s+%{YEAR:year}\s+%{TIME:time}\s+...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.