Hi all,
I'm issuing a problem while using filter grok. For instance, i'm trying to parse nginx logs using this pattern:
NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:clientip} %{NGUSER:ident} %{NGUSER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{URI:referrer}|-)"|%{Q S:referrer}) %{QS:agent} %{QS:xforwardedfor} %{IPORHOST:host} %{BASE10NUM:request_duration}
I'm pretty sure other people use this pattern for nginx log, it's pretty standard.
Because grok doesn't ship with this pattern by default, i'm using this configuration:
filter{
if [type] == "proxy_nginx" {
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{NGINXACCESS}"}
add_field => {"index_name" => "nginx"}
add_tag => ["output_elastic"]
}
}
}
I'm using the patterns_dir to tell logstash where to look for the pattern... it's not working and I have _grokparsefailure...
Here is an example log:
10.55.6.104 - - [2017-04-12T16:31:07+00:00] \"GET /check HTTP/1.1\" 200 0 \"-\" \"ELB-HealthChecker/2.0\"