How to add ip (any specific parameters) to filter in logstash?

(Mohamed Ibrahim) #1

i successfully revived the below masses on my web server - - [17/Jan/2016:00:12:16 +0300] "GET /POS-WS-Client/mTopup?uid=&password=&amount=20&msisdn=012&tid=0 HTTP/1.1" 200 21

actually i need to know to cut on this message on any spasfic filed
for example IP address i need to know top 10 ip ? or top 10 UID ?

(Mohamed Ibrahim) #2

my configurations file /etc/logstash/conf.d/10-syslog.conf as below;

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]

(Magnus Bäck) #3

You should indeed use a grok filter to parse fields out of a string, but your logfile is a standard HTTP logfile and a syslog grok expression won't be able to parse it. I expect you'll have better luck with the COMMONAPACHELOG pattern.

(Mohamed Ibrahim) #4

what is the different between standard HTTP logfile and the other standers

(Magnus Bäck) #5

Not sure what you mean but... many HTTP log files have the same format as your file (a format often called "common") but the "combined" format is also common (see the COMBINEDAPACHELOG pattern). Those are the two reasonably standardized formats, at least on Unix-based systems.

(Elvar) #6

Use this

Love it and cherish it, the most useful aid there is for parsing.

Also, you should seriously consider not using GET that includes a password value, big security risk

(system) #7