Hi,
I've just setup a trial cluster and managed to configure logstash to send out data.
However we are using a custom apache logs that include the vhost server's name as shown here below :
cloudfront.jnstaging.crossknowledge.com 54.239.171.11 - eac_web_service_user1 [04/Nov/2015:12:05:14 +0100] "POST /xmlrpc/server.php HTTP/1.1" 200 517 "-" "Amazon CloudFront"
I'd like to configure logstash in order to have this first log field as a field in ES/Kibana
my current filter is :
filter {
if [path] =~ "access" {
mutate { replace => { type => "apache_access" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
} else if [path] =~ "error" {
mutate { replace => { type => "apache_error" } }
} else {
mutate { replace => { type => "random_logs" } }
}
}
how can I modify it accordingly ?
Thanks for your help !
Michael