Logstash custom apache logs

mlopez · November 4, 2015, 3:32pm

Hi,
I've just setup a trial cluster and managed to configure logstash to send out data.
However we are using a custom apache logs that include the vhost server's name as shown here below :

cloudfront.jnstaging.crossknowledge.com 54.239.171.11 - eac_web_service_user1 [04/Nov/2015:12:05:14 +0100] "POST /xmlrpc/server.php HTTP/1.1" 200 517 "-" "Amazon CloudFront"

I'd like to configure logstash in order to have this first log field as a field in ES/Kibana

my current filter is :

filter {
if [path] =~ "access" {
mutate { replace => { type => "apache_access" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
} else if [path] =~ "error" {
mutate { replace => { type => "apache_error" } }
} else {
mutate { replace => { type => "random_logs" } }
}
}

how can I modify it accordingly ?
Thanks for your help !

Michael

renevdm · November 4, 2015, 5:21pm

Take a look here: http://ict.renevdmark.nl/2015/10/20/apache-access-logs-in-kibana/

mlopez · November 4, 2015, 5:53pm

Thanks a lot Rene ! It works like a charm