Hi All
I have log file as below
07/03/2016 03:54:56 07/03/2016 03:54:57 192.168. 2. 3 209.132.182. 33 203.115.80.90 TCP 50467 80 DNAT 2423
And my filter looks like below
filter {
if [type] == "syslog" {
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{DATE_EU:start_date}\s*%{TIMERED:start_time}\s%{DATE_EU:stop_date}\s*%{TIMERED:stop_time}\s*%{IPADDRS:source_address}\s*%{IPADDRS:destination_address}\s*%{IPADDRS:lb_address}\s*%{WORD:protocaol_type}\s*%{NUMBER:source_port}\s*%{NUMBER:dstination_port}\s*%{WORD:nat_type}\s*%{NUMBER:bytes}" }
}
mutate {
convert => { "source_address" => "string" }
convert => { "destination_address" => "string" }
convert => { "bytes" => "integer" }
add_field => {"timestamp" => "%{start_date}:%{start_time}" }
gsub => [
"source_address", "\s*", "",
"destination_address", "\s*", ""
]
}
date {
match => [ "timestamp" , "dd/MM/yyyy:HH:mm:ss"]
timezone => "Asia/Colombo"
}
geoip {
source => "source_address"
target => "source_geoip"
database => "/etc/logstash/test/GeoLiteCity.dat"
}
geoip {
source => "destination_address"
target => "destination_geoip"
database => "/etc/logstash/test/GeoLiteCity.dat"
}
}
Logstash output
But when i send the log files to the server it continuously get the following warning error
Failed parsing date from field {:field=>"timestamp", :value=>"%{start_date}:%{start_time}", :exception=>"Invalid format: "%{start_date}:%{start_time}"", :config_parsers=>"dd/MM/yyyy:HH:mm:ss", :config_locale=>"default=en_US", :level=>:warn}
Can you guys please advice me to how to fix this timestamp issue , im struggling with this for couple of days
Thank in Advance