Manipulation apache logs

MSt · April 10, 2018, 4:46pm

Hello,
can I put the highlighted keyword (www.test.com) into another field and remove it from the beginning of the message?

The apache-access log looks like

**www.test.com** xx.xx.xx.xx - [10/Apr/2018:10:44:42 +0200] "GET http://www.test.com/small.1523279560.png HTTP/1.1" 200 3435 "https://www.test.com/lorem/?" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" "-"

Because the URL will irritate the geoip evaluation.

Thanks!

Badger · April 10, 2018, 5:07pm

If I understand the ask correctly then this will do it

    dissect { mapping => { "message" => "%{anotherfield} %{}" } }
    mutate { gsub => [ "message", "^[^ ]+ ", ""  ] }

MSt · April 10, 2018, 5:09pm

Thanks for your replay ...
Message should look like this after "www.test.com" is removed

xx.xx.xx.xx - [10/Apr/2018:10:44:42 +0200] "GET http://www.test.com/small.1523279560.png HTTP/1.1" 200 3435 "https://www.test.com/lorem/?" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" "-"

Badger · April 10, 2018, 5:16pm

OK, then I understood the ask. The filter I gave will get you there.

MSt · April 10, 2018, 5:31pm

Yes, it works but now the message is not a COMBINEDAPACHELOG

My config looks like

grok {
     match => [
     "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}",
     "message" , "%{COMMONAPACHELOG}+%{GREEDYDATA:extra_fields}"
     ]
     overwrite => [ "message" ]
  }
  mutate {
     convert => ["response", "integer"]
     convert => ["bytes", "integer"]
     convert => ["responsetime", "float"]
  }
  geoip {
     source => "clientip"
     target => "geoip"
     add_tag => [ "apache-geoip" ]
  }
  date {
     match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
     remove_field => [ "timestamp" ]
  }
  useragent {
     source => "agent"
  }

Any idea to remove or better to set it to a new field but keep the message apache combined

Badger · April 10, 2018, 6:32pm

If xx.xx.xx.xx is your client IP then the message isn't really an apache combined log. There should be a user identity in that field. If your problem is that you have the wrong names for some of the fields then mutate+rename might be a better approach.

MSt · April 11, 2018, 5:59am

Do you have an approach for me? I have no idea to handle with it

MSt · April 11, 2018, 6:08am

Thanks for you help! I found a solution with your hints!

system · May 9, 2018, 6:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.