Unable to write grok filter for access.log

Ipsidash · May 22, 2021, 4:21pm

Hi,

I have an access.log for which i need grok filter to ingest logs to logstash. I have passing the grok filter in logstash.conf.

Access.log:
144.70.113.111 - - [16/May/2021:23:40:32 -0400] [https-jsse-nio-8443-exe-40] 372bcb7832464258b3fb3bfc8324053 "GET /api/v3/projects/1103/test-runs?parentType=test-suit&parentID=null HTTP/1.1" 200 240 26

Grok filter didn't work:
grok { match =>["message","%{COMBINEDAPACHELOG}"]}

Thanks,
Ipsita Dash

Badger · May 24, 2021, 2:30pm

COMBINEDAPACHELOG expects useragent and referer fields to be present. Your log format looks like HTTPD_COMMONLOG.

Ipsidash · May 24, 2021, 3:20pm

It showed compile error

Badger · May 24, 2021, 3:26pm

Actually your format is not HTTPD_COMMONLOG either. You will need a custom pattern. You can use the examples I linked to as a starting point.

Ipsidash · May 25, 2021, 7:27am

Can't find out the example linked. Can you please relink it again?

Badger · May 25, 2021, 2:15pm

The httpd related patterns are here.

Ipsidash · May 25, 2021, 2:33pm

Thank you, i will go through it.

niyazahamed · May 25, 2021, 2:46pm

I too have a same issue. Great update thank you for fixing this issue

system · June 22, 2021, 2:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.