Grok... is it just me or is it really that difficult?


for some days now i try to figure out how to properly use grok to filter my logfiles.
I use the classic? setup with filebeat as the input of logstash and elasticsearch and kibana for visualizing.

So far i managed to display some data in kibana explore; but my custom fields (which i defined? in grok) are always empty...

it also seems like, that only two of my logfiles are filtered (syslog and another one); but my server got like more then 20 different. The filebeat.yaml is set to /var/log/* - so every file in there should be BEATEN to logstash.

My goal is to analyze access and error logs from apache as well from modsecurity; but particularly modsecurity log entries seem to be a mess to filter with grok.

Is there anyone out there who could share his grok filters or link a tutorial on how to properly configure grok? I tried so many ( and so on) but with no real success.

All field i get seem to be made by kibana itself and most of them only offer information about the target (host) but nothing about the client (agent).

Thank you in advance, Louis

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.