Incorrect formatting from logstash

trenzalore · September 7, 2016, 10:11am

Hi !

I'm new in the elastic community so sorry in advance if I miss something obvious.

So I'm setting up and ELK stack with filebeat on a client.

My client has two prospectors: one which sends apache logs (document_type: apache_access) and one which send random logs (document_type: server_log)

In logstash i would like to format thoses logs in two different ways: one for the apache logs and one for the other logs. But it seems that my apache logs are formatted with both rules.

So how can I separate the formatting rules ?

here's my logstash config:

input {  
 beats {
 port => 5044
 }
}
 
filter {
      if [type] == "server_log" {
        grok {
          match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
          add_field => [ "received_at", "%{@timestamp}" ]
          add_field => [ "received_from", "%{host}" ]
        }
        syslog_pri { }
        date {
          match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        }
      }
      else if [type] == "apache_access" {
        grok {
          match => { "message" => "%{COMBINEDAPACHELOG}"}
        }
      }
    }
 
 
output {
 elasticsearch {
 hosts => ["localhost:9200"]
 index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
 document_type => "%{[@metadata][type]}"
}
}

And here is a JSON entry:

{
  "_index": "filebeat-2016.09.07",
  "_type": "apache_access",
  "_id": "AVcEGGtbvIRMBa7J5tbe",
  "_score": 1,
  "_source": {
    "message": "::1 - - [07/Sep/2016:12:01:16 +0200] \"GET / HTTP/1.1\" 200 11359 \"-\" \"curl/7.38.0\"",
    "@version": "1",
    "@timestamp": "2016-09-07T10:01:22.428Z",
    "offset": 820,
    "count": 1,
    "fields": null,
    "beat": {
      "hostname": "debian",
      "name": "elk_client"
    },
    "source": "/var/log/apache2/access.log",
    "type": "apache_access",
    "input_type": "log",
    "host": "debian",
    "tags": [
      "beats_input_codec_plain_applied"
    ],
    "clientip": "::1",
    "ident": "-",
    "auth": "-",
    "timestamp": "07/Sep/2016:12:01:16 +0200",
    "verb": "GET",
    "request": "/",
    "httpversion": "1.1",
    "response": "200",
    "bytes": "11359",
    "referrer": "\"-\"",
    "agent": "\"curl/7.38.0\""
  },
  "fields": {
    "@timestamp": [
      1473242482428
    ]
  }
}

Thanks !

warkolm · September 8, 2016, 12:39am

Where/when are you setting this on the incoming events.

trenzalore · September 8, 2016, 7:31am

I set the document_type: server_log in my filebeat client (it's another machine)

In fact, I don't know if the JSON document I have is the one I should receive or not. (for Apache)