mikygee
August 15, 2017, 9:07am
1
Hello,
I have grok rules that work fine to match the OS and user agent
grok {
break_on_match => true
match => [ "message", "%{IPORHOST:remote_addr} - - \[%{HTTPDATE:time_local}\] %{QS:request} %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}" ]
tag_on_failure => ["nginx_access_parsing_failed"]
remove_tag => ["_grokparsefailure"]
add_tag => ["Web"]
add_tag => ["Nginx"]
}
if [http_user_agent] != "-" and [http_user_agent] != "" {
useragent {
source => "http_user_agent"
}
}
if "UA" in [tags] {
if [device] == "Other" { mutate { remove_field => "device" } }
if [name] == "Other" { mutate { remove_field => "name" } }
if [os] == "Other" { mutate { remove_field => "os" } }
}
}
}
However I would like to rename the terms device, name, os that seem to generic in http_client_device, http_client_browser, http_client_os,
How can I do that ?
Thank you
mikygee
August 15, 2017, 10:09am
2
I tried that but it doesn't work
grok {
break_on_match => true
match => [ "message", "%{IPORHOST:remote_addr} - - \[%{HTTPDATE:time_local}\] %{QS:request} %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}" ]
tag_on_failure => ["nginx_access_parsing_failed"]
remove_tag => ["_grokparsefailure"]
add_tag => ["Web"]
add_tag => ["Nginx"]
}
if [http_user_agent] != "-" and [http_user_agent] != "" {
useragent {
source => "http_user_agent"
}
}
if "UA" in [tags] {
if [device] == "Other" { mutate { remove_field => "device" } }
if [name] == "Other" { mutate { remove_field => "name" } }
if [os] == "Other" { mutate { remove_field => "os" } }
mutate {
rename => [ "name", "http_client_browser" ]
}
}
}
}
Where is the UA tag added? Please show an example of an event that Logstash has produced. Use a stdout { codec => rubydebug } output.
mikygee
August 15, 2017, 12:20pm
4
Thank you for your reply.
system
September 12, 2017, 12:20pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.