Nested grok on custom syslogs of vernish servers

Ferdous_Shibly · May 1, 2018, 5:15pm

Hi,

I am trying to process custom access logs of vernish servers. The log format is:

%h %t %r %>s %b %{resp.http.X-Cache}V %{req.http.user-agent}V %{req.http.referer}V %{geoip.city}V

Here is a sample logs:

Mar 25 09:57:33 X VerticalAlfa X<134>2018-03-25T13:57:32Z cache-scl19420 VerticalAlfa_syslog[28479]: 190.233.180.138 [25/Mar/2018:13:47:30 +0000] POST /diez-platos-fundamentales-de-la-cocina-peruana-1190601?url=https%3A%2F%2Fwww.VerticalAlfa.com%2Fdiez-platos-fundamentales-de-la-cocina-peruana-1190601 HTTP/1.1 503 “-” MISS Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 https://www.VerticalAlfa.com/diez-platos-fundamentales-de-la-cocina-peruana-1190601 Lima

How do we extract all the field in Logstash?

Here is the logstash filter configuration

> filter {
> 
>   grok {
>     match => {
>       "message" => "%{CISCOTIMESTAMP} X %{WORD:vertical} X%{SYSLOG5424PRI}%{SYSLOGLINE}"
>         if ("" in [message]) {
>          grok {
>            match => {
>              "message" => "%{IPORHOST:clientip} %{SYSLOG5424SD} %{WORD:verb} %{URIPATHPARAM} HTTP/%{NUMBER:httpversion} %{DATA:reques:int} (?:-|%{NUMBER:bytes:int}) %{WORD:varnish_hierarchy_status} %{QS:referrer} %{QS:agent} %{URI} %{WORD:city}"
>            }
>          }
>       }
>     }
>   }
>
> }

But it is not matching any logs. Please help.

Cheers
Ferdous Shibly

yaauie · May 1, 2018, 9:48pm

The pasted configuration won't compile -- we cannot embed plugins inside of other plugins.

Instead, we typically chain the plugins, using each to extract the information needed by the ones that follow it:

filter {
  grok {
    match => {
      "message" => "%{CISCOTIMESTAMP} X %{WORD:vertical} X%{SYSLOG5424PRI}${GREEDYDATA:[@metadata][syslog_line]}"
    }
  }
  # if that succeeded, continue parsing from the value we placed in `[@metadata][syslog_line]`:
  if "_grokparsefailure" not in [tags] {
    grok {
      match => {
        "[@metadata][syslog_line]" => "%{IPORHOST:clientip} %{SYSLOG5424SD} %{WORD:verb} %{URIPATHPARAM} HTTP/%{NUMBER:httpversion} %{DATA:reques:int} (?:-|%{NUMBER:bytes:int}) %{WORD:varnish_hierarchy_status} %{QS:referrer} %{QS:agent} %{URI} %{WORD:city}"
      }
    }
  }
}

Ferdous_Shibly · May 2, 2018, 6:02am

@yaauie Thanks fro your help. I can't process

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

with %{QS:referrer} %{QS:agent}. Is there any other way?

yaauie · May 2, 2018, 6:25am

You may want to use the Grok Constructor, a tool for building patterns, using a variety of input lines.

system · May 30, 2018, 6:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.