When i add this logstash filter for apache logs get following error

shahzaib123 · March 2, 2020, 12:56pm

I am facing a issue in logstash filter with grok filter

my log data is:
192.168.1.200 - - [02/Mar/2020:12:25:45 +0500] "GET / HTTP/1.1" 200 472 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"

grok filter configuration is:
%{IPORHOST:clientip} - - [%{HTTPDATE:httpdate}] "%{WORD:Method} / HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NUMBER:Response_size} %{QS:referrer} %{QS:agent}

whole configuation of logstash is:
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{IPORHOST:clientip} - - [%{HTTPDATE:httpdate}] "%{WORD:Method} / HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NUMBER:Response_size} %{QS:referrer} %{QS:agent}"}
}
}
output {
elasticsearch {
hosts => ["10.110.2.120:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}

Error:
logs of logstash:
[2020-03-02T12:53:00,406][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "{", "}" at line 8, column 81 (byte 140) after filter {\n grok {\n match => { "message" => "%{IPORHOST:clientip} - - \[%{HTTPDATE:httpdate}\] "", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:47:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:55:in compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:17:in block in compile_sources'", "org/jruby/RubyArray.java:2580:in map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:14:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:161:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:27:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:in block in converge_state'"]}

[2020-03-02T12:53:00,678][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2020-03-02T12:53:05,563][INFO ][logstash.runner ] Logstash shut down.

please give me advice for solution

Fabio-sama · March 3, 2020, 11:11am

Hi there,

please next time you post something try to properly indent it in a text editor (Atom, Visual Studio Code, Sublime or whatever), paste it here properly spaced, highlight it and then click on the Preformatted text tool ( ), otherwise it'll be unreadable to others.

That said, you didn't escape quotes in your grok before Method and after httpversion.

Also, you will have a _grokparsefailure if you don't escape the square brackets around the httpdate, too.

Try with this grok:

grok {
  match => { "message" => "%{IPORHOST:clientip} - - \[%{HTTPDATE:httpdate}\] \"%{WORD:Method} / HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} %{NUMBER:Response_size} %{QS:referrer} %{QS:agent}"}
}

shahzaib123 · March 6, 2020, 7:32am

Thank you ...

Fabio-sama · March 6, 2020, 1:56pm

No problem. If it solved your problem, please set it as Solution, this way a future reader will see this problem has been solved.

Thanks

system · April 3, 2020, 2:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.