@magnusbeack
Could you please help me to fix this issue.
noting the escape \
I don't understand why there are fewer escape characters.I obviously added the escape character \.
stdin { }
}
filter{
if[message] =~ /^\[.*/ {
grok {
match => ["message" ,'%{SYSLOG5424SD:cliip}, %{URIHOST:clientip} %{NOTSPACE:user} %{NOTSPACE:pass} %{NOTSPACE:role} \[%{HTTPDATE:logtime}\] \"%{WORD:method} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:responsecode} %{NUMBER:bitstransfer} %{NOTSPACE:id1} %{NOTSPACE:id2} %{NOTSPACE:id3} %{NOTSPACE:webserver} %{NOTSPACE:id5}']
}
}else{
grok {
match => ["message", '%{URIHOST:clientip} %{NOTSPACE:user} %{NOTSPACE:pass} %{NOTSPACE:role} \[%{HTTPDATE:logtime}\] \"%{WORD:method} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:responsecode} %{NUMBER:bitstransfer} %{NOTSPACE:id1} %{NOTSPACE:id2} %{NOTSPACE:id3} %{NOTSPACE:webserver} %{NOTSPACE:id5}']
}
}
}
output{
stdout {}
}
Is this conf is working for you?
yes,noting the escape character \
Thanks @wolfman .
Somehow i managed the issue in my way, i am getting grokparsefailure error but logs are structured properly.
out of 35000 log line 32000 logs are structured
Thanks for the help
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.