How to make logstash filter multiple grok pattern

lzold_z · July 17, 2022, 8:32am

Hello, im new to the logstash and i want to know how to make logstash filter multiple grok pattern for example from httpd error logs and access logs, im already have those pattern but logstash seem didnt catch the logs, here is the sample logstash configuration i have

input {
   beats {
    port => 5044
 }
}

filter {
  if "httpd_accesslog" in [fields][type] {
     mutate {
       remove_field => ["log","ecs","input","tags","fields","agent" ,"os"]
       update => {
        "event" => "%{[event][original]}"
        "host" => "%{[host][hostname]}"
        "fields" => "%{[fields][type]}"
        }
    }
    grok {
      break_on_match => false
      match => { "message" => "%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)" }
    }
  }
   else if "httpd_errorlog" in [fields][type] {
     mutate {
       remove_field => ["log","ecs","input","tags","fields","agent" ,"os"]
       update => {
        "event" => "%{[event][original]}"
        "host" => "%{[host][hostname]}"
        "fields" => "%{[fields][type]}"
        }
    }
    grok {
      break_on_match => false
      match => { "message" => "%{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}" }
    }
  }
}

output {

    if "httpd_accesslog" in [fields] {
        solr_http {
            solr_url => "http://ip address:8983/solr/access-logs"
        }
    }
    else if "httpd_errorlog" in [fields] {
        solr_http {
            solr_url => "http://ip address:8983/solr/error-logs"
        }
    }
}

and here is my filebeat.yml file

filebeat.inputs:

- type: log
  enabled: true
  paths:
    - /var/log/httpd/access_log
  fields:
    type: httpd_accesslog

- type: log
  enabled: true
  paths:
    - /var/log/httpd/error_log
  fields:
    type: httpd_errorlog
  multiline.type: pattern
  multiline.pattern: '^\['
  multiline.negate: true
  multiline.match: after
  multiline.max.lines: 30

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["ipaddress:5044"]

Badger · July 18, 2022, 2:56am

In the filter section you have if "httpd_accesslog" in [fields][type] {, which is testing whether that string occurs with that field (a substring match). That will probably work, but I would suggest an equality test, which I think is clearer

if [fields][type] == "httpd_accesslog"

In the output section you have if "httpd_accesslog" in [fields] {, which I do not think will ever work because [fields] is an object, not a string. Use the same test I suggested for the filter section.

lzold_z · July 19, 2022, 9:17am

Thank you so much @Badger it's works

system · August 16, 2022, 9:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok performance Logstash	5	1307	January 18, 2018
Multiple Grok pattern filters arent filtering multiple logs in one logstash file Logstash	8	3586	February 13, 2020
Logstash 8.1 multiple patterns Logstash	2	160	December 22, 2023
Multiple grok pattern, really multiple? Logstash	2	211	April 28, 2022
Grok filter with multiple regex not working Logstash	9	976	June 6, 2018

How to make logstash filter multiple grok pattern

Related topics