Grok pattern for access.log file

I need a grok pattern for below type access.log.

172.26.76.68 - - [02/Jul/2019:19:23:16 +0530] POST /abc/apiname HTTP/1.1 200 2049 7

172.26.76.68 - - [02/Jul/2019:19:23:15 +0530] GET /abc/apiname/id/123456789/idType/NIC/lob/xyz HTTP/1.1 200 70 4

Do you have an idea of grok pattern for this case ? Please kindly assist.

Thank you.

Use the filebeat Apache module?
The groks are there in /usr/share/filebeat/modules/Apache/ingest/pipeline.json

It is similar to the HTTPD_COMMONLOG but missing the double quotes, so you can modify that pattern. HTTPD_COMMONLOG is

%{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)

Try

grok { match => { "message" => "%{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] (?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest}) %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{NUMBER:somethingElse}" } }
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.