Unable to parse the apache error logs


(Nishanth Raj) #1

Hi Team,
I am try to parse some set of apache access and error logs via filebeat input logs, although i am successfull in getting the apache logs in kibana, i am not getting any apache error messages in the kibana. I am pasting my filebeat.yml and logstash for reference.

filebeat.yml

#=========================== Filebeat inputs =============================

filebeat.inputs:

- type: log

  enabled: true

  paths:
    - /opt/apache/logs/error_log*

  fields:
    log_type: apache_error
    log_env: dev
  fields_under_root: true

- type: log

  enabled: true

  paths:
    - /opt/apache/logs/access_log*
  fields:
    log_type: apache_access
    log_env: dev
  fields_under_root: true

#============================= Filebeat modules ===============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s


#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["localhost:5072"]

logstash.conf

input {
  beats {
    port => 5070
        }
  beats {
    port => 5071
        }
  beats {
    port => 5072
        }
}
filter {
  if [log_type] == "apache_access" {
      grok {
        match => { "message" => ["%{NUMBER:[apache2][access][response_time]} %{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][timestamp]}\] %{NUMBER:[apache2][access][last_byte]} \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{DATA:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")? %{GREEDYDATA:unwantedline}","%{NUMBER:[apache2][access][response_time]} %{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][timestamp]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{DATA:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")? %{GREEDYDATA:unwantedline}" ] }
        overwrite => [ "message" ]
      }
      mutate {
        add_field => { "read_timestamp" => "%{@timestamp}" }
      }
      date {
        match => [ "[apache2][access][timestamp]", "dd/MMM/YYYY:H:m:s Z" ]
        remove_field => "[apache2][access][timetamp]"
      }
      useragent {
        source => "[apache2][access][agent]"
        target => "[apache2][access][user_agent]"
        remove_field => "[apache2][access][agent]"
               }
      if "_grokparsefailure" in [tags] {
        drop { }
           }
    }
    else if [log_type] == "apache_error" {
      grok {
        match => { "message" => ["\[%{APACHE_TIME:[apache][error][timestamp]}\] \[%{LOGLEVEL:[apache][error][level]}\]( \[client %{IPORHOST:[apache][error][client]}\])? %{GREEDYDATA:[apache][error][message]}",
          "\[%{APACHE_TIME:[apache][error][timestamp]}\] \[%{DATA:[apache][error][module]}:%{LOGLEVEL:[apache][error][level]}\] \[pid %{NUMBER:[apache][error][pid]}(:tid %{NUMBER:[apache][error][tid]})?\]( \[client %{IPORHOST:[apache][error][client]}\])? %{GREEDYDATA:[apache][error][message1]}" ] }
        pattern_definitions => {
          "APACHE_TIME" => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
        }
        overwrite => [ "message" ]
      }
      mutate {
        rename => { "[apache][error][message1]" => "[apache][error][message]" }
      }
      date {
        match => [ "[apache][error][timestamp]", "EEE MMM dd H:m:s YYYY", "EEE MMM dd H:m:s.SSSSSS YYYY" ]
        remove_field => "[apache][error][timestamp]"
           }
      if "_grokparsefailure" in [tags] {
        drop { }
           }
    }
}
output {
  if [log_type] in [ "apache_access" , "apache_error" ] {
  elasticsearch {
    hosts => [ "localhost:9200" ]
    manage_template => false
    user => "logstash_user"
    password => "xxxxxx"
    index => "apache-%{log_env}-%{+YYYY.MM.dd}"
      }
   }
  stdout { codec => rubydebug }
}

#2

Considering you have

  if "_grokparsefailure" in [tags] {
   drop { }
     }

in your logstash configuration I would assume that grok patterns does not match your error messages so they get dropped. Did you try to test them in Kibana's grok debugger?

I would suggest to remove this configuration part and then you can search for tags:"_grokparsefailure" in kibana to find messages not matching your patterns and fix patterns.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.