Need VHOST field with COMBINEDAPACHELOG

infinitetutts · July 4, 2016, 9:40pm

How do I add 'site.com' as a new field ?

Logstash Config:

  filter {
      if [type] == "apache" {
        grok {
          match => [ "message", "%{URIHOST} %{COMBINEDAPACHELOG}" ]
        }
      }
    }

Apache Log:

site.com:80 192.168.1.2 - - [04/Jul/2016:22:34:23 +0100] "GET /ga.php?utmac=UA-54083301-21&utmn=1564100486&utmr=https%3A%2F%2Fwww.site.com%2Fm%2Fquickfire%2Fkeyboard%2Fpro%2F%3Fpage%3D2&utmp=%2Fm%2Fquickfire%2Fkeyboard%2Fpro%2F%3Fpage%3D3&guid=ON HTTP/1.1" 200 489 "Custom Application Development Software for Business - Salesforce.com" "Opera/9.80 (BlackBerry; Opera Mini/8.0.35667/37.8678; U; en) Presto/2.12.423 Version/12.16"

magnusbaeck · July 5, 2016, 6:16am

%{IPORHOST:virtualhost}:%{INT:port:int} %{COMBINEDAPACHELOG}

infinitetutts · July 5, 2016, 10:49am

Thank you so much !

Works perfect <3.

filter {
  if [type] == "apache" {
    grok {
      match => [ "message", "%{IPORHOST:virtualhost}:%{INT:port:int} %{COMBINEDAPACHELOG}" ]
    }
  }
}