Unable to view all fields

Hello Guys,
I configured: Kibana, Elasticsearch and Logstash:

logstash.yml:

http.host: "10.132.0.4"
xpack.monitoring.elasticsearch.url: ["http://10.132.0.4:9200"]
xpack.monitoring.elasticsearch.username: "elastic"
xpack.monitoring.elasticsearch.password: "password"
path.config: /etc/logstash/pipelines.yml

conf.d/05-apache-logstash.conf:

input {
file {
path => ["/etc/httpd/logs/access.log"]
type => "apache_access"
}
file {
path => ["/etc/httpd/logs/ssl_access_log"]
start_position => "beginning"
type => "ssl_apache_access"
}
}
filter {
if [type] in [ "apache_access" ] {
grok {
match => {"message" => "%{COMBINEDAPACHELOG}"}
}
mutate {
convert => ["response", "integer"]
convert => ["bytes", "integer"]
convert => ["responsetime", "float"]
}
geoip {
source => "clientip"
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
remove_field => [ "timestamp" ]
}
useragent {
source => "agent"
}
}
if [type] in ["ssl_apache_access"] {
grok {
match => {"message" => "%{IP:client_ip} %{USER:ident} %{USER:auth} [%{HTTPDATE:apache_timestamp}] "%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}" %{NUMBER:server_response}"}
}
date {
match => ["time_stamp", "dd/MMM/YYYY:HH:mm:ss"]
remove_field => [ "time_stamp","day","dayname","month","hour","minute","second","year"]
}
geoip {
source => "clientip"
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
remove_field => [ "timestamp" ]
}
useragent {
source => "agent"
}
}
}
output {
if [type] in [ "apache-access" ] {
elasticsearch {
hosts => ["http://10.132.0.4:9200"]
user => "elastic"
password => "password"
index => "logstash-apache-access-%{+YYYY.MM.dd}"
}
}
if [type] in ["ssl_apache_access"] {
elasticsearch {
hosts => ["http://10.132.0.4:9200"]
user => "elastic"
password => "password"
index => "logstash-ssl_apache-access-%{+YYYY.MM.dd}"
}
}
stdout { codec => rubydebug }
}

elasticsearch.yml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

network.host: 10.132.0.4
discovery.type: single-node

kibana.yml:
server.host: "10.132.0.4"

#ElasticSearchSpecs
elasticsearch.url: "http://10.132.0.4:9200"
elasticsearch.username: "kibana"
elasticsearch.password: "password"

However, I don't see ALL values from my grok in logstash. I see only like 5 variables. This is what I see when I start logstash, eventhough my grok should translate me also the: clientIP and other fields

{
"type" => "ssl_apache_access",
"message" => "212.56.146.130 - - [23/Jul/2018:15:05:19 +0000] "GET /lib/exe/fetch.php?w=100&tok=159fe2&media=32440740_10213947105066052_4116062512049291264_n.jpg HTTP/1.1" 304 -",
"@timestamp" => 2018-07-23T15:05:19.834Z,
"path" => "/etc/httpd/logs/ssl_access_log",
"@version" => "1",
"host" => "dokuwiki"
}

I know I am newbie, I fought this for 5 days before coming here :slight_smile:
P.S. No errors in any logs

Please edit your post and use the right markup. Select the configuration and click on the </> on the toolbar above the composition window.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.