Hi Badger ,
Ok I think I understand it maybe (50%). So yes I have already useragent in my patterns. Probably I just need to modify those lines?
I'm exactly at the same point: Want a Logstash Filter to Parse the Agent Field in Apache Access Log Files
if [host][name] == "SVGXXX-XXXXX-XX.maindomain.ch" {
if [event][module] == "nginx" {
if [fileset][name] == "access" {
mutate {
add_tag => ["anginx", "Anginx"]
}
if "anginx" in [tags] {
grok {
match => { "message" => "%{HTTPD_COMMONLOG} %{QS:referrer} %{QS:agent}" }
# remove_field => "message"
}
mutate {
gsub => [ "referrer", '^"', '', "referrer", '"$', '' ]
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[nginx][access][time]"
}
useragent {
source => "[nginx][access][agent]"
target => "[nginx][access][user_agent]"
remove_field => "[nginx][access][agent]"
}
geoip {
source => "[nginx][access][remote_ip]"
target => "[nginx][access][geoip]"
}
}
}
}
if [fileset][name] == "error" {
grok {
match => { "message" => ["%{DATA:[nginx][error][time]} \[%{DATA:[nginx][error][level]}\] %{NUMBER:[nginx][error][pid]}#%{NUMBER:[nginx][error][tid]}: (\*%
{NUMBER:[nginx][error][connection_id]} )?%{GREEDYDATA:[nginx][error][message]}"] }
remove_field => "message"
}
mutate {
rename => { "@timestamp" => "read_timestamp" }
}
date {
match => [ "[nginx][error][time]", "YYYY/MM/dd H:m:s" ]
remove_field => "[nginx][error][time]"
}
}
}
I recieve this:
[2020-04-20T20:19:06,289][ERROR][logstash.filters.useragent][main] Uknown error while parsing user agent data {:exception=>#<TypeError: cannot convert instance of class org.jruby.RubyHash to class java.lang.String>, :field=>"[agent]", :event=>#<LogStash::Event:0x8da38e>}
I also found this:
At the moment, I didn't found any working solution.