Hi,
I try parser apache (access_log) log but i've problem with username section (not capture the complete name), log example:
10.13.252.185 - - [23/Aug/2020:23:56:14 -0400] "PROPFIND /remote.php/dav/files/JF009-01/PAPER/00022/document.txt HTTP/1.1" 207 1132 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36"
My Grok filter is:
grok {
match => { "message" => '%{IPORHOST:clientip} - - \[%{HTTPDATE:timestamp}\] "%{WORD:Method} %{NOTSPACE:url}/%{NOTSPACE:user}/%{DATA:file} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} %{WORD:response_time}'
}
}
Where the username is: JF009-01 , but the filter only capture JF009 and the other section is captured inside folder tag .
{
"clientip": [
[
"10.13.252.185"
]
],
"HOSTNAME": [
[
"10.13.252.185"
]
],
"IP": [
[
null
]
],
"IPV6": [
[
null
]
],
"IPV4": [
[
null
]
],
"timestamp": [
[
"23/Aug/2020:23:56:14 -0400"
]
],
"MONTHDAY": [
[
"23"
]
],
"MONTH": [
[
"Aug"
]
],
"YEAR": [
[
"2020"
]
],
"TIME": [
[
"23:56:14"
]
],
"HOUR": [
[
"23"
]
],
"MINUTE": [
[
"56"
]
],
"SECOND": [
[
"14"
]
],
"INT": [
[
"-0400"
]
],
"Method": [
[
"PROPFIND"
]
],
"user": [
[
"JF009"
]
],
"folder": [
[
"-01/PAPER/00022"
]
],
"file": [
[
"document.txt"
]
],
"httpversion": [
[
"1.1"
]
],
"BASE10NUM": [
[
"1.1",
"207"
]
],
"response": [
[
"207"
]
],
"response_time": [
[
"1132"
]
]
}
Any suggestions
Thanks