Help with a grok filter

Kevin_M · August 18, 2014, 1:57pm

Could someone help me write a grok filter for this log real quick here is
what the log looks like:

Aug 18 09:40:39 server01 webmin_log: 172.16.16.96 - username [18/Aug/2014:09:40:39
-0400] "GET /right.cgi?open=system&open=status HTTP/1.1" 200 3228

here is what I have so far:

match => [ "message", "%{SYSLOGTIMESTAMP:timestamp} %{WORD:Server}
webmin_log: %{IP:IP_Address} - %{USERNAME:username} *[ stuck at this middle
part [18/Aug/2014:09:40:39 -0400] *] "%{WORD:method}
%{URIPATHPARAM:request} HTTP/1.1 %{NUMBER:bytes} %{NUMBER:duration}

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/4784c4b4-65ab-4894-8a1b-a8ab0fba0ed6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

vitaly_bulgakov · August 18, 2014, 5:53pm

On Monday, August 18, 2014 9:57:41 AM UTC-4, Kevin M wrote:

Could someone help me write a grok filter for this log real quick here is
what the log looks like:

Aug 18 09:40:39 server01 webmin_log: 172.16.16.96 - username [18/Aug/2014:09:40:39
-0400] "GET /right.cgi?open=system&open=status HTTP/1.1" 200 3228

here is what I have so far:

match => [ "message", "%{SYSLOGTIMESTAMP:timestamp} %{WORD:Server}
webmin_log: %{IP:IP_Address} - %{USERNAME:username} *[ stuck at this
middle part [18/Aug/2014:09:40:39 -0400] *] "%{WORD:method}
%{URIPATHPARAM:request} HTTP/1.1 %{NUMBER:bytes} %{NUMBER:duration}

It is just a sequence of regular expressions catching fields one by one.
Look, e.g at my post.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/fc1251d5-d346-475d-9d21-bf993b45062e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Kevin_M · August 18, 2014, 6:58pm

I dont see your post - what I am stuck with is whenever the date changes on
that log example:

[18/Aug/2014:09:40:39 -0400]

[20/Aug/2014:11:40:39 -0104]
[19/Aug/2014:08:40:39 -0500]

the filter will not match it

On Monday, August 18, 2014 1:53:37 PM UTC-4, vitaly wrote:

On Monday, August 18, 2014 9:57:41 AM UTC-4, Kevin M wrote:

Could someone help me write a grok filter for this log real quick here is
what the log looks like:

Aug 18 09:40:39 server01 webmin_log: 172.16.16.96 - username [18/Aug/2014:09:40:39
-0400] "GET /right.cgi?open=system&open=status HTTP/1.1" 200 3228

here is what I have so far:

match => [ "message", "%{SYSLOGTIMESTAMP:timestamp} %{WORD:Server}
webmin_log: %{IP:IP_Address} - %{USERNAME:username} *[ stuck at this
middle part [18/Aug/2014:09:40:39 -0400] *] "%{WORD:method}
%{URIPATHPARAM:request} HTTP/1.1 %{NUMBER:bytes} %{NUMBER:duration}

It is just a sequence of regular expressions catching fields one by one.
Look, e.g at my post.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b2e3db4a-385d-4bb0-aa2c-0b5b7f96b728%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.