Issue with filter and timestamp

desai.amogh · June 9, 2017, 12:52pm

I am getting errors, I guess due to the grok filters. check the Logstash parsed log below:

{
       "message" => "2017-06-09 05:02:16,751 [30] DEBUG - WS206 - ApplicationName - someapp.Logging.someappLogger - REQ_END POST: /api/client/reportbuilder/getReportFilterValueData  [200, 49 ms]\r\n",
      "@version" => "1",
    "@timestamp" => "2017-06-09T10:00:39.902Z",
          "type" => "log4net",
          "host" => "192.168.x.xxx",
          "tags" => [
        [0] "_grokparsefailure"
    ]
}
{
       "message" => "2017-06-09 05:02:19,270 [48] DEBUG - WS206 - ApplicationName - someapp.Logging.someappLogger - REQ_START POST: /api/client/reportbuilder/getReportFilterValueData \r\n",
      "@version" => "1",
    "@timestamp" => "2017-06-09T10:00:42.422Z",
          "type" => "log4net",
          "host" => "192.168.x.xxx",
          "tags" => [
        [0] "_grokparsefailure"
    ]
}

I have started getting these Logs from Visual studio UdpAppender on Logstash and Kibana. The logs are like above, My filter is as shown below:

 filter {
                        if [type] == "log4net" {
                            grok {
                                 match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:S-SiteName} %{NOTSPACE:S-ComputerName} %{IPORHOST:S-IP} %{WORD:CS-Method} %{URIPATH:CS-URI-Stem} (?:-|\"%{URIPATH:CS-URI-Query}\") %{NUMBER:S-Port} %{NOTSPACE:CS-Username} %{IPORHOST:C-IP} %{NOTSPACE:CS-Version} %{NOTSPACE:CS-UserAgent} %{NOTSPACE:CS-Cookie} %{NOTSPACE:CS-Referer} %{NOTSPACE:CS-Host} %{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:SC-Bytes} %{NUMBER:CS-Bytes} %{NUMBER:Time-Taken}"}
                    }
                  }
                }

Couple of issues, Logging time and actual time of the log generated is different. Kibana has a timestamp which is different than the timestamp in the message part of the log above, how do I fix that??

{
  "_index": "logstash-2017.06.09",
  "_type": "log4net",
  "_id": "AVyMTIFqNuCcmtLtPbeb",
  "_score": null,
  "_source": {
    "message": "2017-06-09 05:02:19,317 [48] DEBUG - WS206 - ApplicationName - Someapp.Logging.SomeappLogger - REQ_END POST: /api/client/reportbuilder/getReportFilterValueData  [200, 46 ms]\r\n",
    "@version": "1",
    "@timestamp": "2017-06-09T10:00:42.468Z",
    "type": "log4net",
    "host": "192.168.x.xxx",
    "tags": [
      "_grokparsefailure"
    ]
  },
  "fields": {
    "@timestamp": [
      1497002442468
    ]
  },
  "highlight": {
    "type.raw": [
      "@kibana-highlighted-field@log4net@/kibana-highlighted-field@"
    ],
    "type": [
      "@kibana-highlighted-field@log4net@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1497002442468
  ]
}

All of our logs will be mostly around Exceptions/errors/DEBUG info received from Visual studio/IIS servers/asp .net applications and web apps. What is the best filter for these logs??

What to do with the[0] "_grokparsefailure"

Im new to ELK.

Nico-DF · June 9, 2017, 12:59pm

You're giving us the wrong filter. The one you gave works only if type=iis, and in your log, you only give log4net so we can't really help on this.

As for your timestamp "problem", it due to the fact that your parsing failed (grok tag), so you don't have the timestamp of your message, but only timestamp of the moment this message were proccessed by logstash

desai.amogh · June 9, 2017, 1:59pm

Sorry, It was type=log4net, iis came in there by mistake.. that was a copy paste error, have fixed it in post. What I am trying to log is really a bunch ow AWS beanstalk instances with .net applications running on it. The above logs came from a developer's machine with visual studio 2015 running for testing.

I guess if I fix the grok the timestamp issue will also go away. Please advise.

Nico-DF · June 9, 2017, 2:41pm

The fact is:

"%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:S-SiteName} %{NOTSPACE:S-ComputerName} %{IPORHOST:S-IP} %{WORD:CS-Method} %{URIPATH:CS-URI-Stem} (?:-|\"%{URIPATH:CS-URI-Query}\") %{NUMBER:S-Port} %{NOTSPACE:CS-Username} %{IPORHOST:C-IP} %{NOTSPACE:CS-Version} %{NOTSPACE:CS-UserAgent} %{NOTSPACE:CS-Cookie} %{NOTSPACE:CS-Referer} %{NOTSPACE:CS-Host} %{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:SC-Bytes} %{NUMBER:CS-Bytes} %{NUMBER:Time-Taken}"

Does not match:

"2017-06-09 05:02:16,751 [30] DEBUG - WS206 - ApplicationName - someapp.Logging.someappLogger - REQ_END POST: /api/client/reportbuilder/getReportFilterValueData  [200, 49 ms]\r\n"

For exemple, just after the timestamp, what about [30]? it is not a Word, hence, parse fail.

Try your pattern with data on a grok debugger, like:
http://grokdebug.herokuapp.com/

You just need to define a correct pattern for your log.

system · July 7, 2017, 2:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.