When i add this logstash filter for apache logs get following error

Elastic Stack Logstash
1

I am facing a issue in logstash filter with grok filter

my log data is:
192.168.1.200 - - [02/Mar/2020:12:25:45 +0500] "GET / HTTP/1.1" 200 472 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"

grok filter configuration is:
%{IPORHOST:clientip} - - [%{HTTPDATE:httpdate}] "%{WORD:Method} / HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NUMBER:Response_size} %{QS:referrer} %{QS:agent}

whole configuation of logstash is:
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{IPORHOST:clientip} - - [%{HTTPDATE:httpdate}] "%{WORD:Method} / HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NUMBER:Response_size} %{QS:referrer} %{QS:agent}"}
}
}
output {
elasticsearch {
hosts => ["10.110.2.120:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}

Error:
logs of logstash:
[2020-03-02T12:53:00,406][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "{", "}" at line 8, column 81 (byte 140) after filter {\n grok {\n match => { "message" => "%{IPORHOST:clientip} - - \[%{HTTPDATE:httpdate}\] "", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:47:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:55:in compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:17:in block in compile_sources'", "org/jruby/RubyArray.java:2580:in map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:14:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:161:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:27:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:in block in converge_state'"]}

[2020-03-02T12:53:00,678][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2020-03-02T12:53:05,563][INFO ][logstash.runner ] Logstash shut down.

please give me advice for solution

2

Hi there,

please next time you post something try to properly indent it in a text editor (Atom, Visual Studio Code, Sublime or whatever), paste it here properly spaced, highlight it and then click on the Preformatted text tool (image ), otherwise it'll be unreadable to others.

That said, you didn't escape quotes in your grok before Method and after httpversion.

Also, you will have a _grokparsefailure if you don't escape the square brackets around the httpdate, too.

Try with this grok:

grok {
  match => { "message" => "%{IPORHOST:clientip} - - \[%{HTTPDATE:httpdate}\] \"%{WORD:Method} / HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} %{NUMBER:Response_size} %{QS:referrer} %{QS:agent}"}
}
3

Thank you ... :slight_smile:

4

No problem. If it solved your problem, please set it as Solution, this way a future reader will see this problem has been solved.

Thanks

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.