Logstash Pipeline is running successfully. Elasticsearch and Kibana are running successfully.
Have apache_access_xxxx.log files in logstash/event-data
Checked http://localhost:9200/_cat/indices and could not find logstash indices.
Pipeline.conf
input {
file {
path => "C:/ELK-Stack/logstash/event-data/apache_*.log"
start_position => "beginning"
codec => plain{charset => 'UTF-16BE'}
}
http {
host => "localhost"
port => 8088
}
}
filter {
if [headers][request_uri] =~ "error" or [path] =~ "errors" {
mutate {
replace => { type => "error" }
}
} else {
mutate {
replace => { type => "access" }
}
grok {
match => { "message" => '%{HTTPD_COMMONLOG} "%{GREEDYDATA:referrer}" "%{GREEDYDATA:agent}"' }
}
if "_grokparsefailure" in [tags] {
drop { }
}
useragent {
source => "agent"
target => "ua"
}
# Admin pages
if [request] =~ /^\/admin\// {
drop { }
}
# Static files
if [request] =~ /^\/js\//
or [request] =~ /^\/css\//
or [request] in ["/robots.txt", "/favicon.ico"] {
drop { }
}
# Crawlers
if [ua][device] == "Spider" {
drop { }
}
mutate {
convert => {
"response" => "integer"
"bytes" => "integer"
}
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
remove_field => [ "timestamp" ]
}
geoip {
source => "clientip"
}
}
mutate {
remove_field => [ "headers", "@version", "host" ]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
document_type => "default"
#index => "%{type}-%{+YYYY.MM.dd}"
http_compression => true
}
}