Issue parsing Apache log coming from Filebeat

(Bicofino) #1

Hello all,

I'm trying use ELK with Filebeat to parse some apache logs, but the filter never gets fired.

ELK Server:

Packages installed:


The filter is OK:

0:> /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/apache-filter.conf --config.test_and_exit --path.settings /etc/logstash/
Sending Logstash's logs to /var/log/logstash which is now configured via
Configuration OK

Content of /etc/logstash/conf.d/apache-filter.conf:

 filter {
   if [type] == "apache-access" {
     # This will parse the apache access event
     grok {
       match => [ "message", "%{COMBINEDAPACHELOG}" ]

Client server(filebeat):

Packages installed:


Contents of /etc/filebeat/filebeat.yml

  • input_type: log
    • /logs/*.log
      document_type: apache-access
      hosts: [""]
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]`

Filebeat is working and the log is forwarded to Logstash and I can see on Kibana, below an example:

"_index": "filebeat-2016.12.07",
"_type": "apache-access",
"_id": "AVjZG5H0oxxqAxp3g61g",
"_score": null,
"_source": {
"@timestamp": "2016-12-07T11:46:51.405Z",
"beat": {
"hostname": "",
"name": "",
"version": "5.0.2"
"input_type": "log",
"message": " - - [05/Dec/2016:11:21:05 +0000] "GET HTTP/1.1" 200 14383 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36" "-"",
"offset": 283053696,
"source": "/logs/site/wpc_19370_20161205_0001.log",
"type": "apache-access"
"fields": {
"@timestamp": [
"sort": [

I tried the example here, and the content of the message is parsed correctly. Looks like the issue is when the content comes from Filebeat, I already configured Logstash log to Debug and got nothing. Any idea?

Best Regards,

Danilo F. Chilene

(Magnus B├Ąck) #2

If the grok filter was used but the expression didn't match you'd get a _grokparsefailure tag, but that's not the case here. The configuration looks okay from here. Are you sure you're actually using the configuration you think you're using? If you start Logstash with --debug I think it'll log the exact configuration it loaded.

(Bicofino) #3

Hello Magnus,

Here the begin of the log:

(Bevan Bennett) #4

What's the input section of your logstash configuration look like?

I suspect that, while "_type" is getting set by beats, you aren't setting "type", which means you could either change the if to if [_type] == "apache-access" or else add a type => "apache-access" section to your input.

(Bicofino) #5


I tried put a if inside the input too, take a look:

0:> cat /etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"

filter {
if [type] == "apache-access" {
# This will parse the apache access event
grok {
match => [ "message", "%{COMBINEDAPACHELOG}" ]

(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.