I'm having an issue with my Filebeat 1.2.3. install.
I am trying to read Nginx logs and output them to Redis.
I had this system working (at least in a testing capacity) for a week and recently I noticed that I am getting Logstash _grokparsefailures because my logs now have \"
surrounding any fields that have "
in them.
So for an example log line:
1.2.3.4 - - [16/Jun/2016:18:16:40 +0000] "GET /url/a-b HTTP/1.1" 200 0 "-" "Funnelback RPT-HTTPClient/0.3-3E"
Is being turning into this
"{\"@timestamp\":\"2016-06-16T18:16:43.758Z\",\"beat\":{\"hostname\":\"example.com\",\"name\":\"example.com\"},\"count\":1,\"fields\":null,\"input_type\":\"log\",\"message\":\"1.2.3.4 - - [16/Jun/2016:18:16:40 +0000] \\\"GET /url/a-b HTTP/1.1\\\" 200 0 \\\"-\\\" \\\"Funnelback RPT-HTTPClient/0.3-3E\\\"\",\"offset\":843990,\"source\":\"/var/log/nginx/access.log\",\"type\":\"log\"}"
by the time it gets to redis. (That is the output when I lrange
the key that it is being put under)
And thus logstash is parsing it into
{"@timestamp":"2016-06-13T23:38:35.448Z","beat":{"hostname":"example.com","name":"example.com"},"count":1,"fields":null,"input_type":"log","message":"1.2.3.4 - - [13/Jun/2016:23:38:35 +0000] \"GET /url/a-b HTTP/1.1\" 301 178 \"-\" \"Mozilla/5.0\"","offset":322672,"source":"/var/log/nginx/access.log","type":"log","@version":"1","tags":["_grokparsefailure"]}
Why is it adding the additional \"
around the url and user agent? It wasn't doing this a week ago when I set it up because my grok rules were working then.
Here are my grok rules %{IPORHOST:c_ip} %{NGUSER:cs_username} %{NGUSER:cs_auth} \[%{HTTPDATE:timestamp}\] "%{WORD:cs_method} %{URIPATHPARAM:request} HTTP/%{NUMBER:cs_version}" %{NUMBER:sc_status} (?:%{NUMBER:sc_bytes}|-) (?:"(?:%{URI:cs_referer}|-)"|%{QS:cs_referrer}) %{QS:cs_user_agent}
Any help would be appreciated in getting this solved.
Thanks