for some days now i try to figure out how to properly use grok to filter my logfiles.
I use the classic? setup with filebeat as the input of logstash and elasticsearch and kibana for visualizing.
So far i managed to display some data in kibana explore; but my custom fields (which i defined? in grok) are always empty...
it also seems like, that only two of my logfiles are filtered (syslog and another one); but my server got like more then 20 different. The filebeat.yaml is set to /var/log/* - so every file in there should be BEATEN to logstash.
My goal is to analyze access and error logs from apache as well from modsecurity; but particularly modsecurity log entries seem to be a mess to filter with grok.
Is there anyone out there who could share his grok filters or link a tutorial on how to properly configure grok? I tried so many (kifarunix.com and so on) but with no real success.
All field i get seem to be made by kibana itself and most of them only offer information about the target (host) but nothing about the client (agent).
Thank you in advance, Louis