Logstash pipeline for aws cloudfront fixing timestamp issue

miiimooo · May 26, 2023, 9:38am

This took me ages to figure out so I thought it might be helpful for someone else.

I'm parsing AWS CloudFront standard logs in logstash (v8.x)

The included grok pattern worked fine for me apart from the timestamp, since that uses a tab \t character to separate date and time and I couldn't get the date filter to parse that correcly.

The working solution:

filter {
  grok {
    match => {
      "message" => "%{CLOUDFRONT_ACCESS_LOG}"
    }
  }
  mutate {
    gsub => [
      "timestamp", "\t", " "
    ]
  }

  date {
    locale => "en"
    timezone => "UTC"
    match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
    target => "@timestamp"
  }

  geoip {
    source => "[source][ip]"
    target => "[client]"
  }

}

I've also left in the geoip lookup.

If there is a better way of doing this let me know

system · June 23, 2023, 9:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date filter and time zone transition Logstash	2	8902	July 31, 2017
Grok date parsing trouble Logstash	3	23022	July 6, 2017
Help parsing [06/Sep/2017:10:57:42 -0400] Logstash	24	4767	October 10, 2017
Log timestamp filed converting as time filter field Logstash	3	369	June 7, 2019
@timestamp not matching date parsed, apache logs Logstash	3	2799	July 6, 2017

Logstash pipeline for aws cloudfront fixing timestamp issue

Related topics