Logstash grok filter combinedapachelog does not work

ademxoy · June 22, 2020, 5:46pm

Grok does not seem to create any outputs for COMBINEDAPACHELOG

Here is my filter:

filter
{
	grok { 
		match => { "messages" => "%{COMBINEDAPACHELOG}"}
	}
	mutate {
		convert => { "bytes" => "integer" }
	}
	date {
		match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
		locale => en
		remove_field => "timestamp"
	}
	geoip {
		source => "clientip"
	}
	useragent {
		source => "user_agent"
		target => "useragent"
	}
}

"74.99.99.99 - - [22/Jun/2020:10:33:06 -0700] \"GET /page.php?link1=test HTTP/1.1\" 200 24330 \"http://xxxxxxxxxxxx.com/read/page.php\" \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0\"",

Input comes from filebeat to this server. Logstash is version 7.8 and so is filebeat. This used to work work with 7.7 and I made some changes, deleted index from elastic, index patterns from kibana and it stopped working. I know it has nothing to do with elastic and kibana but just wanted to put it out there.

ademxoy · June 22, 2020, 5:50pm

Never mind. After I posted it, I noticed the "s" at the end of "message" in match field.

It started working after I changed the match field to:

match => { "message" => "%{COMBINEDAPACHELOG}"}

I left my original question here in case somebody else makes the same mistake.

Thanks,

system · July 20, 2020, 5:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.