Grok Pattern For Access Log

Michael_TRAN · June 23, 2017, 11:43am

Hi,

I have a issue with the grok pattern for access log. I try this grok filter %{COMBINEDAPACHELOG} but it's not working.
I identify why and it's because of this variable "301148" between
the date and GET

100.1.1.1 - - [23/Jun/2017:09:17:46 +0200] 301148 "GET /test./test/ " 200 8 "-" "-"

Do you have an idea of grok pattern for this case ?

Thank you
Michael

magnusbaeck · June 26, 2017, 6:32am

Here's the original definition of the patterns (COMBINEDAPACHELOG just points to HTTPD_COMBINEDLOG):

github.com

logstash-plugins/logstash-patterns-core/blob/v4.1.1/patterns/httpd#L5-L6


HTTPD_COMMONLOG %{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
HTTPD_COMBINEDLOG %{HTTPD_COMMONLOG} %{QS:referrer} %{QS:agent}

Make a copy of them and place '%{NUMBER}after the date, or%{NUMBER:foo}if you want to capture the number into the fieldfoo`.

Michael_TRAN · June 27, 2017, 9:30am

Thank you Magnus !

Topic		Replies	Views
Grok pattern for access.log file Logstash	3	317	July 30, 2019
Where can I find the grok pattern for the COMBINEDAPACHELOG in logstash? Logstash	5	7482	July 12, 2020
Unable to write grok filter for access.log Logstash	8	397	June 22, 2021
Logstash Grok unable to create new fields for apache-access log Logstash	4	1261	July 6, 2017
Grok Pattern for Apache Access logs (facing _grokparsefailure error) Logstash	5	12021	October 16, 2017

Grok Pattern For Access Log

Related topics