I'm trying to parse an Apache log that was sent by syslog but I get a _grokparsefailure error in Kibana and nothing in logstash log. Yet I tested the grok patterns on http://grokconstructor.appspot.com with several lines of log and everything was OK.
I changed the config file to use the "program" field instead of the "type" field.
Below is the complete config file with rubydebug output
texte préformaté indenté par 4 espaces
input {
syslog {
type => syslog
port => 5140
}
}
filter {
if [program] == "apache-access" { grok { match => { "message" => "%{SYSLOGBASE} %{COMBINEDAPACHELOG}" } } }
else if [program] == "apache-error" {
grok {
match => { "message" => "%{HTTPD24_ERRORLOG}" }
patterns_dir => ["/etc/logstash/patterns"]
}
}
Do you really need %{SYSLOGBASE} in your grok expression? I'm pretty sure the syslog input strip the syslog "header" and makes sure only the message payload itself ends up in message. The evidence you've presented suggests that such is the case.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.