Hello,
can anyone kindly help me to solve this problem?
I'm trying to parse the fields of a haproxy log then dissect that message to map the different message values into fields for logstash. But I have the impression that the conf is not matched because I have no data to recover.
My log type is:
2022-02-09T17:43:25+01:00 localhost.localdomain haproxy[110793]: 123.45.67.89:7640 [09/Feb/2022:17:43:24\.918] front-toto-ssl~ prod-srv-avis_toto/server 247/0/1/10/258 200 873 - - ---- 76/70/1/1/0 0/0 {12.345.67.89|service_web\|Mozilla/5.0 (Linux; Android 11; CPH2091) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Mobile Safari/537.36\|https://www.service_web.fr/} "GET //request HTTP/1.1" ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 {0,"",""}
(I modified some data that I cannot display)
With the grok debugger, I have the good configuration for the fields:
%{} %{} %{} %{}\:%{} \[%{GREEDYDATA:raw_timestamp}\] %{} %{} %{} %{NUMBER:response} %{NUMBER:bytes} - - ---- %{} %{} \{%{IPV4:ip}\|%{}\|%{GREEDYDATA:agent}\|%{URI:url2}\} "%{WORD:verbose} %{GREEDYDATA:url} HTTP\/%{NUMBER:version}" %{}
But when I translate this in my confs, the log is not matched.
else if
[message] =~ /^ ([^]*) ([^ ]*) ([^ ]*)\: ([^ ]*)\:([^ ]*) \[[^ ]*(?= )\] ([^ ]*) ([^ ]*) ([^ ]*)
([^ ]*) ([^ ]*) \- \- \-\-\-\- ([^]*) ([^ ]*) \{([^ ]*)\|([^ ]*)\|([^ ]*)\|([^ ]*)\} \" ([^ ]*) ([^ ]*) HTTP\/[^\" ]*\" ([^ ]*)/ {
dissect {
mapping => {
"message" => '%{ } %{ } %{ }: %{ }:%{ } [%{timestamp}] %{ } %{ } %{ } %{response} %{bytes} - - ---- %{ } %{ } {%{clientip}|%{ }|%{agent}|%{referrer}} "%{verb} %{request} %{httpversion}" %{ }
}
add_tag => ["matched"]
}
}
-
when i use this i dint get any errors but when i tried to push the logs there was no index created
-
i would request anyone to help me out with this , im totally not sure whether im using the conditions in right place .
-
I'm sorry if the display conditions do not match, this is the first time I post a message here