Hi Team,
I am try to parse some set of apache access and error logs via filebeat input logs, although i am successfull in getting the apache logs in kibana, i am not getting any apache error messages in the kibana. I am pasting my filebeat.yml and logstash for reference.
filebeat.yml
#=========================== Filebeat inputs =============================
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/apache/logs/error_log*
fields:
log_type: apache_error
log_env: dev
fields_under_root: true
- type: log
enabled: true
paths:
- /opt/apache/logs/access_log*
fields:
log_type: apache_access
log_env: dev
fields_under_root: true
#============================= Filebeat modules ===============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["localhost:5072"]
logstash.conf
input {
beats {
port => 5070
}
beats {
port => 5071
}
beats {
port => 5072
}
}
filter {
if [log_type] == "apache_access" {
grok {
match => { "message" => ["%{NUMBER:[apache2][access][response_time]} %{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][timestamp]}\] %{NUMBER:[apache2][access][last_byte]} \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{DATA:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")? %{GREEDYDATA:unwantedline}","%{NUMBER:[apache2][access][response_time]} %{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][timestamp]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{DATA:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")? %{GREEDYDATA:unwantedline}" ] }
overwrite => [ "message" ]
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[apache2][access][timestamp]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[apache2][access][timetamp]"
}
useragent {
source => "[apache2][access][agent]"
target => "[apache2][access][user_agent]"
remove_field => "[apache2][access][agent]"
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
else if [log_type] == "apache_error" {
grok {
match => { "message" => ["\[%{APACHE_TIME:[apache][error][timestamp]}\] \[%{LOGLEVEL:[apache][error][level]}\]( \[client %{IPORHOST:[apache][error][client]}\])? %{GREEDYDATA:[apache][error][message]}",
"\[%{APACHE_TIME:[apache][error][timestamp]}\] \[%{DATA:[apache][error][module]}:%{LOGLEVEL:[apache][error][level]}\] \[pid %{NUMBER:[apache][error][pid]}(:tid %{NUMBER:[apache][error][tid]})?\]( \[client %{IPORHOST:[apache][error][client]}\])? %{GREEDYDATA:[apache][error][message1]}" ] }
pattern_definitions => {
"APACHE_TIME" => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
}
overwrite => [ "message" ]
}
mutate {
rename => { "[apache][error][message1]" => "[apache][error][message]" }
}
date {
match => [ "[apache][error][timestamp]", "EEE MMM dd H:m:s YYYY", "EEE MMM dd H:m:s.SSSSSS YYYY" ]
remove_field => "[apache][error][timestamp]"
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
}
output {
if [log_type] in [ "apache_access" , "apache_error" ] {
elasticsearch {
hosts => [ "localhost:9200" ]
manage_template => false
user => "logstash_user"
password => "xxxxxx"
index => "apache-%{log_env}-%{+YYYY.MM.dd}"
}
}
stdout { codec => rubydebug }
}