Logstash parsing problem

Vladpov · January 9, 2020, 9:12am

Hello guys!

I'm trying to parse the following type of log message:

111.22.333.444 - - [08/Jan/2020:11:50:15 +0100] [https://awdasfe.asfeaf.cas:111] "POST /VFQ3P/asfiheasfhe/v2/safiehjafe/check HTTP/1.1" 204 0 "-" "-" (rt=0.555 urt=0.555 uct=0.122 uht=0.11)

My logstash conf file:

input {
  beats {
    port => 5044
  }
}

filter {
  grok { match => { "message" => "%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \[%{NOTSPACE:referrer}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)" } }

  geoip { source => "clientip" }
}


output {
  elasticsearch {
   hosts => ["localhost:9200"]
   index => "my_index5"
  }
}

I'm using almost the same patterns like in the github pattern library for COMMONAPACHELOG. When I put the code through grok debugger in Kibana it works the way I want but when I try to execute it on machine logstash throws me an error that there is a symbol expected before the "(?:%{WORD:verb} part and when I add there \ there is still a problem.

Does anyone have any suggestions for solving the problem?

Thanks in advance!

Badger · January 9, 2020, 5:58pm

You need to escape both of the double quotes inside the pattern using backslash, or else use single quotes around the pattern.

grok { match => { "message" => '%{IPORHOST:clientip} ...' } }

If you still get errors then show us the error message.

Vladpov · January 9, 2020, 6:39pm

Thank you for your help!

The thing that is bothering me now is this part:

(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})

I think at some point it should show the raw request part like POST /VFQ3P/asfiheasfhe/v2/safiehjafe/check HTTP/1.1 and parse into verb and http version at the same time but I dont have the field rawrequest.

I'd like do it with referrer part as well so I could parse https://awdasfe.asfeaf.cas:111 for fields:

protocol: https
domain1: awdasfe
domain2: asfeaf
domain3: cas
port: 111

Badger · January 9, 2020, 6:47pm

No, alternation (the pipe character) does not work that way. If tries to parse it using the first part of the pattern (verb/request/httpversion) and only if that fails will it parse using the second part.

If you want to have both then change the initial grok to

%{DATA:rawrequest})

and add a second grok that does

match => { "rawrequest" => "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?" }

The same would apply to the referrer.

Vladpov · January 9, 2020, 7:01pm

Thank you very much for replying!

I just found the related topic to my question! How can i parse one field further into different fields in another grok pattern?

system · February 6, 2020, 7:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_grokparsefailure in the file Logstash	6	948	August 30, 2017
_grokparsefailure but grok debugger looks good Logstash	18	2812	August 19, 2021
_grokparsefailure inspite of working well with grok debugger Logstash	10	1766	May 4, 2019
_grokparsefailure in Kibana although Grok tester returns "matched" Logstash	6	335	August 10, 2018
GROK pattern not working in Logstash Logstash	2	300	April 10, 2019

Logstash parsing problem

Related topics