Logstash Grok Filter Apache Access Log

Question

Logstash Grok Filter Apache Access Log

I looked through here and there, but could not find a working permit. I am trying to use Grok Filter inside a Logstash configuration file to filter the Apache-Access log file. The log message is as follows: {"message":"00.00.0.000 - - [dd/mm/YYYY:hh:mm:ii +0000] \"GET /index.html HTTP/1.1\" 200 00"}.

At this point, I could only filter the client ip using grok {match => ["message", "% {IP: client_ip}"]}.

I want to filter:

 - The GET method, - requested page (index.html), - HTTP/1.1\, - server response 200 - the last number 00 after 200 inside the message body

Please note: none of them work for me:

grok {match => {"message" => "% {COMBINEDAPACHELOG}"}} or
grok {match => ["message", "% {COMBINEDAPACHELOG}"]}

+6

filter logstash access-log

O connor Mar 11 '14 at 8:57

source share

3 answers

O connor · Answer 1 · 2014-03-13T13:58:12+0000

 grok { match => [ "message", "%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:apache_timestamp}\] \"%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response} " ] }

Garreth mcdaid · Answer 2 · 2014-03-12T16:43:06+0000

Use the Grok debugger to get an exact match in your log format. This is the only way.

http://grokdebug.herokuapp.com/

Costin aldea · Answer 3 · 2017-04-04T13:17:37+0000

Use the following:

 filter { grok { match => { "message" => "%{COMMONAPACHELOG}" } } }

As you can see from your template, COMBINEDAPACHELOG will fail because there are some missing components:

 COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}

https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns

Logstash Grok Filter Apache Access Log

More articles: