Parsing message for haproxy logs no matched

Hello,

can anyone kindly help me to solve this problem?

I'm trying to parse the fields of a haproxy log then dissect that message to map the different message values into fields for logstash. But I have the impression that the conf is not matched because I have no data to recover.

My log type is:

2022-02-09T17:43:25+01:00 localhost.localdomain haproxy[110793]: 123.45.67.89:7640 [09/Feb/2022:17:43:24\.918] front-toto-ssl~ prod-srv-avis_toto/server 247/0/1/10/258 200 873 - - ---- 76/70/1/1/0 0/0 {12.345.67.89|service_web\|Mozilla/5.0 (Linux; Android 11; CPH2091) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Mobile Safari/537.36\|https://www.service_web.fr/} "GET //request HTTP/1.1" ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 {0,"",""}

(I modified some data that I cannot display)

With the grok debugger, I have the good configuration for the fields:

%{} %{} %{} %{}\:%{} \[%{GREEDYDATA:raw_timestamp}\] %{} %{} %{} %{NUMBER:response} %{NUMBER:bytes} - - ---- %{} %{} \{%{IPV4:ip}\|%{}\|%{GREEDYDATA:agent}\|%{URI:url2}\} "%{WORD:verbose} %{GREEDYDATA:url} HTTP\/%{NUMBER:version}" %{}

But when I translate this in my confs, the log is not matched.

        else if
[message] =~ /^ ([^]*) ([^ ]*) ([^ ]*)\: ([^ ]*)\:([^ ]*) \[[^ ]*(?= )\] ([^ ]*) ([^ ]*) ([^ ]*)
([^ ]*) ([^ ]*) \- \- \-\-\-\- ([^]*) ([^ ]*) \{([^ ]*)\|([^ ]*)\|([^ ]*)\|([^ ]*)\} \" ([^ ]*) ([^ ]*)  HTTP\/[^\" ]*\" ([^ ]*)/ {

              
dissect {
                    
mapping => {           
"message" => '%{ } %{ } %{ }: %{ }:%{ } [%{timestamp}] %{ } %{ } %{ } %{response} %{bytes} - - ---- %{ } %{ } {%{clientip}|%{ }|%{agent}|%{referrer}} "%{verb} %{request} %{httpversion}" %{ }
}

add_tag => ["matched"]

}

}
  • when i use this i dint get any errors but when i tried to push the logs there was no index created

  • i would request anyone to help me out with this , im totally not sure whether im using the conditions in right place .

  • I'm sorry if the display conditions do not match, this is the first time I post a message here

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.