Issue parsing Apache log coming from Filebeat

Hello all,

I'm trying use ELK with Filebeat to parse some apache logs, but the filter never gets fired.

ELK Server:

Packages installed:

logstash-5.0.2-1.noarch
kibana-5.0.2-1.x86_64
elasticsearch-5.0.2-1.noarch

The filter is OK:

0:> /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/apache-filter.conf --config.test_and_exit --path.settings /etc/logstash/
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK

Content of /etc/logstash/conf.d/apache-filter.conf:

 filter {
   if [type] == "apache-access" {
     # This will parse the apache access event
     grok {
       match => [ "message", "%{COMBINEDAPACHELOG}" ]
     }
   }
 }

Client server(filebeat):

Packages installed:

filebeat-5.0.2-1.x86_64

Contents of /etc/filebeat/filebeat.yml
`filebeat.prospectors:

  • input_type: log
    paths:
    • /logs/*.log
      document_type: apache-access
      output.elasticsearch:
      hosts: ["mylogstashserver.com:9200"]
      tls:
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]`

Filebeat is working and the log is forwarded to Logstash and I can see on Kibana, below an example:

{
"_index": "filebeat-2016.12.07",
"_type": "apache-access",
"_id": "AVjZG5H0oxxqAxp3g61g",
"_score": null,
"_source": {
"@timestamp": "2016-12-07T11:46:51.405Z",
"beat": {
"hostname": "myfilebeatserver.com",
"name": "myfilebeatserver.com",
"version": "5.0.2"
},
"input_type": "log",
"message": "191.255.248.250 - - [05/Dec/2016:11:21:05 +0000] "GET http://img.mysite.com/8019370/orig-img.mysite.com/cars/389632.jpg HTTP/1.1" 200 14383 "http://www.mysite.com/travel/resultado-de-carros?searchtype=Car&withdrawalCity=FLL&withdrawalCityType=AEROPORTO&devolutionCity=FLL&devolutionCityType=AEROPORTO&anotherCity=false&pickUpDateTime=20/12/2016T14:00&returnDateTime=04/01/2017T14:00&pickUpLocationCityCode=34691&returnLocationCityCode=34691\" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" "-"",
"offset": 283053696,
"source": "/logs/site/wpc_19370_20161205_0001.log",
"type": "apache-access"
},
"fields": {
"@timestamp": [
1481111211405
]
},
"sort": [
1481111211405
]
}

I tried the example here Logstash configuration examples | Logstash Reference [8.11] | Elastic, and the content of the message is parsed correctly. Looks like the issue is when the content comes from Filebeat, I already configured Logstash log to Debug and got nothing. Any idea?

Best Regards,

Danilo F. Chilene

If the grok filter was used but the expression didn't match you'd get a _grokparsefailure tag, but that's not the case here. The configuration looks okay from here. Are you sure you're actually using the configuration you think you're using? If you start Logstash with --debug I think it'll log the exact configuration it loaded.

Hello Magnus,

Here the begin of the log: http://pastebin.com/R0UdccsR

What's the input section of your logstash configuration look like?

I suspect that, while "_type" is getting set by beats, you aren't setting "type", which means you could either change the if to if [_type] == "apache-access" or else add a type => "apache-access" section to your input.

Hi,

I tried put a if inside the input too, take a look:

0:> cat /etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

filter {
if [type] == "apache-access" {
# This will parse the apache access event
grok {
match => [ "message", "%{COMBINEDAPACHELOG}" ]
}
}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.