Greetings!!!

I'm trying to parse JBoss Access Log Message without success.
In the grok debugger, the regex works fine, but in the LOGSTASH 5.2.0 Grok Filter I'm getting the _grokparsefailure.

This is the LOGPATTERN:

%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i" %D %T

This is the message format:

200.155.87.164 - - [12/Apr/2017:23:24:10 -0300] "POST /ibhbacaoconsulta/posicaoConsolidada.jsf?javax.portlet.faces.DirectLink=true HTTP/1.1" 302 - "https://www.hb.prebanco.com.br/ibhbacaoconsulta/posicaoConsolidada.jsf?CTL=8099044819513080700050" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" 21 0.021

These are the two ways I tried based on COMBINEDAPACHELOG grok pattern:

match => {"message" => "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NUMBER:microsecond:int} %{NUMBER:second:double}"}

match => {"message" => "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NUMBER:bytes} %{QS:referrer} %{QS:agent} %{NUMBER:microsecond:double} %{NUMBER:second:double}"}

And this is my configuration:

input {
file {
type => "ibhbacaoconsulta1a-accesslog"
path => "/suportedbdc/jboss-eap-6.4/domain/servers/ibhbacaoconsulta1a/log/default-host/access-log_*"
ignore_older => 0
start_position => beginning
sincedb_path => "/dev/null"
}
}

filter {
grok {
match => {"message" => "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NUMBER:microsecond:int} %{NUMBER:second:double}"}

match => {"message" => "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NUMBER:bytes} %{QS:referrer} %{QS:agent} %{NUMBER:microsecond:double} %{NUMBER:second:double}"}

}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}

output {
stdout { codec => rubydebug }
}

I hope someone can help me.

Thanks in advance!

Bruno Lacerda

Problem solved!!!

The tip was found in Grokparsefailure, but works in grok debugger

The Logstash message was a bit different, it was:

200.155.87.165 - - [13/Apr/2017:11:00:33 -0300] "GET /ibhbagendamentoacao/compra.jsf?CTL=3178956819215030102050 HTTP/1.1" 200 38752 "https://www.hb.prebanco.com.br/ibhbagendamentoacao/acompanhamento.jsf?CTL=3178956819215030102050" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/7.0)" 247 0.247

And the proper regex become:

%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NUMBER:bytes} %{QS:referer} %{QS:agent} %{NUMBER:microsecond:int} %{NUMBER:second:float}

See you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.