Need help configuring my grok filters

Rich_Johnson · March 22, 2017, 11:47pm

I marked as solved becuase what I changed based on your answer did work, but I think I did something wrong as now I am getting 4000 logs per minute in elasticsearch rather than my expected 200...

I did this:

input {
    beats {
        port => "5044"
    }
}
filter {
    grok {
        match => { "message" =>"%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:time_stamp}\] %{QS:web_site} %{NUMBER:server_port} \"%{WORD:request_method} %{URIPATHPARAM:uri_path} HTTP/%{NUMBER:http_version}\" %{NUMBER:response} (?:%{QS:referer}|-) %{QS:user_agent} %{NUMBER:bytes_received} %{NUMBER:bytes_sent}"}
        match => { "message" =>"%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:time_stamp}\] %{QS:web_site} %{NUMBER:server_port} %{QS:request_method} %{NUMBER:response} %{QS:referer} %{QS:user_agent} %{NUMBER:bytes_received} %{NUMBER:bytes_sent}" }
    }
    geoip {
        source => "client_ip"
    }
}
output {
    elasticsearch {
        hosts => [ "10.1.0.20:9200" ]
    }
}

Which, re-reading your post, does not look like what you actually suggested. Can you give me a better example of what I would do in my case?

Topic		Replies	Views
Grokparsefailure and don't understand why Elasticsearch	3	4825	July 6, 2017
My grok fikter dont work Logstash	7	397	August 10, 2018
Grok Filter Parsing Failure Logstash	6	2578	March 23, 2017
Logstash '_grokparsefailure' issue Logstash	14	36871	July 6, 2017
Grok filter output to elastic not filtered Logstash	3	1136	October 18, 2017

Need help configuring my grok filters

Related topics