Logstash filter VMware access_log

maher · April 5, 2016, 10:56am

HI,

I am trying to parse an apache access_log.

The log format includes the VMware name and port so using the grok %{ COMBINEDAPACHELOG} I always have a wrong result.

I was trying to use a custom filter without a useful result.

“%{NOTSPACE:jvmname}%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}”

Here an example of the access_log wich I am trying to parse:

prod.prod.iph.nbs-test.com:443 164.132.161.16 - - [31/Mar/2016:04:31:52 +0200] "GET /entonnoir-polyethylene/p-5035-5027598 HTTP/1.0" 200 28563 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.1; +http://ahrefs.com/robot/)" 1459391512 394383 9755

Thank you,

magnusbaeck · April 5, 2016, 5:28pm

The most obvious problem is there needs to be a space between the NOTSPACE and IPORHOST patterns at the start of the expression. (Unrelated, but jvmname is a really weird name for the virtualhost:port string.)