Need help with logstash conf file - spilitting log message


#1

Hello guys,

please could you help me to create logstash conf.d file for splitting following message?

1.234.85.29 <1.234.85.29> - - [24/Nov/2018:20:54:11 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" "-"

and following

85.216.232.12 <141.101.96.139> - - [24/Nov/2018:19:56:36 +0000] "GET /error/error-pages.css HTTP/1.1" 200 43506 "https://01exchange.io/dashboard/0" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0" "85.216.232.12"

I know this can be time sonsuming and meybe I am asking too much to just get solution here. But please if you do not have time, please could you give me some clue how to work this?

I know there is grok debugger but I have no idea how it works.

Thank you


#2

The biggest problem is how to write following:

  1. I know 1.234.85.29 can be written as %{IP:client}
    But how can I write it if it ahs <> ? <41.101.96.139> ?

  2. How can I write those dashes "-" ?

  3. How can I process anything which is in quotes "" ?


#3

ok I think I got it:

%{IP:client} <%{IP:host}> - - [%{HTTPDATE:timestamp}] "%{WORD:method} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NUMBER:bytes} %{QS:referrer} %{QS:agent} "%{IP:endclient}"