Help to GROK parse JBoss EAP 6 access log

bsl.lacerda · April 13, 2017, 3:06pm

Problem solved!!!

The tip was found in Grokparsefailure, but works in grok debugger

The Logstash message was a bit different, it was:

200.155.87.165 - - [13/Apr/2017:11:00:33 -0300] "GET /ibhbagendamentoacao/compra.jsf?CTL=3178956819215030102050 HTTP/1.1" 200 38752 "https://www.hb.prebanco.com.br/ibhbagendamentoacao/acompanhamento.jsf?CTL=3178956819215030102050" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/7.0)" 247 0.247

And the proper regex become:

%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NUMBER:bytes} %{QS:referer} %{QS:agent} %{NUMBER:microsecond:int} %{NUMBER:second:float}

See you.

Topic		Replies	Views
Grok Pattern for Apache Access logs (facing _grokparsefailure error) Logstash	5	11878	October 16, 2017
Grok filter - access log Logstash	4	219	April 10, 2019
Where can I find the grok pattern for the COMBINEDAPACHELOG in logstash? Logstash	5	6859	July 12, 2020
_grokparsefailure for IIS logs Logstash	10	2878	July 6, 2017
Logstash parsing problem Logstash	5	395	February 6, 2020

Help to GROK parse JBoss EAP 6 access log

Related topics