Parse Apache Error Logs

Is there something I'm missing? Currently using Filebeat to send Apache 2.4 logs to Elasticsearch. Access logs get parsed fine (well, mostly, have lots of grok errors) but error_log always shows grok error and inputs log line into message field. Thanks for your help.

I just checked. In last 24 hours I had only 28% of my error_log entries pass the grok filter. Not a very good batting average!!

  • 64,216 Total hits
  • 46,032 had Grok errors
  • 18, 095 listed no Grok Errors

Why you make it complex?
Just use filebeat apache module then send it directly to Elasticsearch...
There are access and error path to get your logs...


Thats exactly what I'm doing....

Help please!

Please check the filebeat events in the log, or you can see in systemctl status filebeat -l.
Then you need yo adjust the filebeat.yml configuration following this:

Try to increase more than events that occured in the filebeat log

@fadjar340 how does configuring the internal queue fix grok errors?

Example line with issue:

Provided Grok expressions do not match field value: [{\"time\":\"2020-11-02 13:31:55.532653\", \"function\" : \"[php7:notice]\", \"process\" : \"[pid17900]\" , \"message\" : \"PHP Notice:  Only variables should be assigned by reference in /var/www/ on line 209\", \"remoteIP\" : \"\", \"server\" : \"server8\" }]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.