Grok filter output to elastic not filtered

Elastic Stack Logstash
1

Using logstash 5.4.0 and elastic 5.4.0

I have a grok filter:
%{MYDATESTAMP:loggedtimestamp} GMT%{ISO8601_TIMEZONE} %{MYTZ} [-] %{LOGLEVEL:loglevel}: %{GREEDYDATA:logmessage}

I have below patterns:
MYTZ (CE[S]?T)
MYDATESTAMP %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME}

My config file looks like below:

input {
file {
path => "/root/.pm2/logs/mylog-test.log"
start_position => "beginning"
}
}
filter {
grok {
patterns_dir => ["opt/logstash/patterns"]
match => { "message" => "%{MYDATESTAMP:loggedtimestamp} GMT%{ISO8601_TIMEZONE} %{MYTZ} [-] %{LOGLEVEL:loglevel}: %{GREEDYDATA:logmessage}" }

}

}

Output to elastic

output {
elasticsearch {
hosts => [ "localhost:9200" ]
index => testlogs
}
}

Logfile entries look like below:
2017-09-07T09:07:07.773Z POST /api/Account/Login 200
Thu Sep 14 2017 05:59:55 GMT+0000 (CEST) - info: User testuser@gmail.com logged in

When testing this online it works, and only picks the lines having format like the second entry.
http://grokconstructor.appspot.com/do/match#result

But when running this with logstash elastic search gets filled with all entries. Some of the ones that should not be there have tags grokparsefailure, some dont. The once not matching the filter do not have the correct fields like loggedtimestamp.

Any suggestions to what is wrong with my config file/grok filter?

2

Unless you explicitly configure Logstash otherwise, all events will be sent to all outputs. If you don't want events where the grok parsing failed to be sent to your elasticsearch output, wrap it in a conditional.

if "_grokparsefailure` not in [tags] {
  elasticsearch { ... }
}
3

After writing this post I relized that must be the case, but I could not really find that information anywhere in the logstash documentation. That would have been nice. I used an If statement and dropped the entries I was not interested in. Like this
if [message] !~ "logged in" {
drop { }
}
That seems to work fine.
Thank you for replying!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.