I am new to ELK and trying to instrument a simple node.js app that is using Winston for logging. I have tried a variety of grok patterns (including just %COMBINEDAPACHELOG
) but can not seem to get all the data that I need. I have read through the related parse failure posts but am not making traction. Any ideas on how to consistently parse these logs?
Sample log
{"level":"info","message":"127.0.0.1 - - [Tue, 13 Oct 2015 05:19:33 GMT] \"GET /blah HTTP/1.1\" 500 1402 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0\"\n","timestamp":"2015-10-13T05:19:33.571Z"}
Config File Filter
filter {
grok {
match => { "message" => "%{WORD:loglevel}%{WORD:logtype} %{IP:client}%{SPACE}-%{SPACE}-%{SPACE} %{TIME:timestamp} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:response}-%{QUOTEDSTRING},%{TIME:timestamp2}" }
}
}
Output When Logstash Starts
{
"level" => "info",
"message" => "127.0.0.1 - - [Tue, 13 Oct 2015 05:19:33 GMT] \"GET /blah HTTP/1.1\" 500 1402 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0\"\n",
"timestamp" => "2015-10-13T05:19:33.571Z",
"@version" => "1",
"@timestamp" => "2015-10-13T21:20:38.829Z",
"host" => "<user>.local",
"path" => "/Users/<user>/Documents/node-postgres-todo/logs/test-log.log",
"tags" => [
[0] "_grokparsefailure"
]
}