Parsing apache access log file and extract timestamp

Eliot54 · December 24, 2018, 5:05pm

I'm trying to use a custom log file with the following format in ELK :

109.70.81.5 - - [01/Jul/1995:00:00:01 -0400] "GET /history/apollo/ HTTP/1.0" 200 6245

However logstash /kibana keeps using my localhosts timestamp instead of the one from the log file. Here is my config file :

filter {
  if [type] == "apache-common" {
grok {
  match => { "message" => "%{COMMONAPACHELOG}" }
}
date {
  match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss -SSSS" ]
  target => "timestamp"
  add_field => { "debug" => "timestampMatched"}
}
  }
}

And the JSON result file is the following :

{
  "_index": "sdata",
  "_type": "doc",
  "_id": "g4Tu4GcB2Kx_V5iannxt",
  "_version": 1,
  "_score": null,
  "_source": {
    "message": "UNKNOWN_HOST - - [01/Jul/1995:04:11:55 -0400] \"GET /history/apollo/images/footprint-small.gif HTTP/1.0\" 200 0",
    "tags": [
      "_grokparsefailure"
    ],
    "type": "apache-common",
    "@timestamp": "2018-12-24T15:55:26.252Z",
    "@version": "1",
    "host": "userver",
    "path": "/home/user/data/access"
  },
  "fields": {
    "@timestamp": [
      "2018-12-24T15:55:26.252Z"
    ]
  },
  "sort": [
    1545666926252
  ]
}

AquaX · January 3, 2019, 3:30pm

Either remove this line or change it to:

target => "@timestamp"

system · January 31, 2019, 3:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.