Using Date plugin to parse apache2 error log datetime

Hi all !

I am trying to use Logstash to parse apache2 error logs.

These logs contain a dattime in a format e.g. Fri Oct 03 09:07:41.570 2023. I have already successfully transfered this string into a field "eventfire" using grok pattern %{HTTPDERROR_DATE:eventfire}

Now, I want to set @timestamp field to this date using date plugin for logstash.

I have set it up like this

filter {
    date {
        match => [ "eventfire", "EEE MMM dd HH:mm:ss.SSS yyyy" ]

the format of the date EEE MMM dd HH:mm:ss.SSS yyyy should be correct, because when I fire up simple Java application with org.joda.time and use this format, it returned the same datetime as the eventfire field above.

However, the @timestamp field didn't change to this date.

So, I tried to used ruby plugin. I ended up with following code:

date_str = event.get("eventfire")
    require "date"
    date = DateTime.parse(date_str)
    rescue Exception => e

which works and correctly set up @timestamp field even if I don't set up a format for the date, the DateTime.parse() function correctly parse Fri Oct 03 09:07:41.570 2023

My question is: Why the date plugin didn't work ? What did I do wrong ?

Your date filter works for me. Perhaps a locale issue?

Thanks, but I tried to experiment with this field, setting en, en-US, en_US, but it didn't have any effect

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.