i successfully revived the below masses on my web server
10.29.10.204 - - [17/Jan/2016:00:12:16 +0300] "GET /POS-WS-Client/mTopup?uid=&password=&amount=20&msisdn=012&tid=0 HTTP/1.1" 200 21
actually i need to know to cut on this message on any spasfic filed
for example IP address i need to know top 10 ip ? or top 10 UID ?
my configurations file /etc/logstash/conf.d/10-syslog.conf as below;
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
You should indeed use a grok filter to parse fields out of a string, but your logfile is a standard HTTP logfile and a syslog grok expression won't be able to parse it. I expect you'll have better luck with the COMMONAPACHELOG pattern.
what is the different between standard HTTP logfile and the other standers
Not sure what you mean but... many HTTP log files have the same format as your file (a format often called "common") but the "combined" format is also common (see the COMBINEDAPACHELOG pattern). Those are the two reasonably standardized formats, at least on Unix-based systems.
Use this http://grokdebug.herokuapp.com/
Love it and cherish it, the most useful aid there is for parsing.
Also, you should seriously consider not using GET that includes a password value, big security risk
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.