Logstash grok filter not creating fields in ES

Elastic Stack Logstash
1

Hi, Can someone help with grok pattern for following log format? I had written my own with help of grok debugger but somehow it's not creating the fields in the ES.

Error log:

[Sun Sep 09 04:00:36.495025 2018] [ssl:info] [pid 23305:tid 139874015254272] [client 10.0.252.243:41216] AH01964: Connection to child 293 established (server 127.0.0.1:9440)

Access log:

10.0.252.12 - - [28/Sep/2018:13:55:58 +0000] "POST /v3_balanced/remote_rpc_request?service_name=xxxxx.yyyy.uploader.InsightsReceiverRpcSvc&port=2028&base_url=/rpc&timeout_ms=60000 HTTP/1.1" 200 78

Request log:

10.0.252.12 10.0.252.12 10.0.252.12 HTTP/1.1 - POST 200 [06/Sep/2018:19:00:50 +0000] - /v3_balanced/remote_rpc_request "-" "ECDHE-RSA-AES256-GCM-SHA384"

Thanks in advance,
Siva

2

The below syslog pattern not creating fields in the ES. I have tested this with grok debugger as well.

root@siva-es:/etc/logstash/conf.d# cat 10-syslog-filter.conf 
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

Can someone help me here?Preformatted text

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.