While importing php errors log file in logstash not getting fields seperated from message in elastisearch

Bdr · January 21, 2019, 9:28am

This is my php error log file

[20-Sep-2018 00:01:00 America/Los_Angeles] Uncaught PHP Exception LogicException: "The controller must return a response (null given). Did you forget to add a return statement somewhere in your controller?" at /mnt/www/html/shoppingstore/docroot/vendor/symfony/http-kernel/HttpKernel.php line 171 request_id="v-ee827c28-bca2-11e8-80cc-22000a1e2cfa"

This is my logstash confg file
""""""
input {
file {
path => "/home/Desktop/logfiles/php-errors.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok {
match => { "message" => "[%{MONTHDAY:day}-%{MONTH:month}-%{YEAR:year} %{TIME:time} %{WORD:zone}/%{WORD:country}] PHP %{DATA:level}: %{GREEDYDATA:error}" }
}

}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "phperrorlog-%{+YYYY.MM.dd}"
document_type => "phperrorlog"
}
stdout { codec => rubydebug }
}
""""""

Output Response:
""
{

_index: "phperrorlog-2019.01.21",

_type: "phperrorlog",

_id: "yOWzb2gBmOi9Cy9CHuGo",

_score: 1,

_source: {
message: "[20-Sep-2018 00:01:00 America/Los_Angeles] Uncaught PHP Exception LogicException: "The controller must return a response (null given). Did you forget to add a return statement somewhere in your controller?" at /mnt/www/html/shoppingstore/docroot/vendor/symfony/http-kernel/HttpKernel.php line 171 request_id="v-ee827c28-bca2-11e8-80cc-22000a1e2cfa"",

@timestamp: "2019-01-21T09:17:15.558Z",

host: "p1",

tags: [
"_grokparsefailure"],

@version: "1",

path: "/home/Desktop/logfiles/php-errors.log"}

},
""""
I need values in that message separately like DATA, GREEDYDATA, TIME
Please help someone.

guyboertje · January 21, 2019, 12:37pm

This is what you need...

input {
  generator {
    lines => [
      '[20-Sep-2018 00:01:00 America/Los_Angeles] Uncaught PHP Exception LogicException: "The controller must return a response (null given). Did you forget to add a return statement somewhere in your controller?" at /mnt/www/html/shoppingstore/docroot/vendor/symfony/http-kernel/HttpKernel.php line 171 request_id="v-ee827c28-bca2-11e8-80cc-22000a1e2cfa"'
    ]
    count => 1
  }
}

filter {
  grok {
    pattern_definitions => { "DATESTAMP_PHP" => "%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME} %{WORD}\/%{WORD}" }
    match => {
      "message" => [
        '\[%{DATESTAMP_PHP:timestamp}\] %{GREEDYDATA:msg}'
      ]
    }
    break_on_match => true
  }
}

output {
  stdout {
    codec => rubydebug
  }
}

system · February 18, 2019, 12:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mutate filter specific word Logstash	6	374	June 11, 2020
How to define a proper grok pattern for php error logs Logstash elastic-stack-monitoring	9	256	February 27, 2024
When importing Drupal watchdog log file in logstash not getting fields separated from message in elastisearch Logstash	9	610	February 18, 2019
Logstash script adding duplicate data Logstash	1	107	March 13, 2024
1 Error: Expected one of #, input, filter, output at line 1, column 1 (byte 1) after {:level=>:error} Logstash	2	1790	July 6, 2017

While importing php errors log file in logstash not getting fields seperated from message in elastisearch

Related topics