Parsing Akamai logs

Fabs · September 12, 2018, 11:41am

Hi all,
good morning

I'm new about the ELK world. I have a problem on parsing Akamai logs.

I report you a log as example:

< 2018-08-01 15:12:33 126.237.114.223 GET [request] 200 1270 0 "[url]" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100 Safari Line/8.11.0" "-" />

in particular I can't parse the "date" information. I've tried with several patterns but I can't extract the year with four digits but just two:

18-08-01 instead of 2018-08-01

I hope I was clear

Thank you so much

Regards

magnusbaeck · September 12, 2018, 5:01pm

What does your grok filter look like?

Fabs · September 13, 2018, 8:07am

Hi Magnus,

that's my grok filter:

grok {
match => { "message" => [ "%{DATE:date}\t%{TIME:time}\t%{IPV4:IP}\t%{WORD:method}\t%{URIPATHPARAM:url_path}\t%{NUMBER:server_response}\t%{NUMBER:bytes}\t%{NUMBER:boh}\t"%{URI:referrer}"\t"%{NOTSPACE:useragent}\s%{GREEDYDATA:useragentinfo}"\t"%{GREEDYDATA:boh2}"" ] }
}

magnusbaeck · September 13, 2018, 9:34am

If you look at the definition of DATE,

github.com

logstash-plugins/logstash-patterns-core/blob/v4.1.2/patterns/grok-patterns#L67-L72


DATE_US %{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}
DATE_EU %{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}
ISO8601_TIMEZONE (?:Z|[+-]%{HOUR}(?::?%{MINUTE}))
ISO8601_SECOND (?:%{SECOND}|60)
TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
DATE %{DATE_US}|%{DATE_EU}

you'll see that it's not appropriate for yyyy-mm-dd dates. You can replace %{DATE:date} with (?<date>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}).

system · October 11, 2018, 9:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.