Logstash Grok Filter Apache Access Log

filter logstash logstash-grok
O Connor picture O Connor · Mar 11, 2014 · Viewed 42.2k times · Source

I have been looking around here and there, but could not find the working resolution. I try to use Grok Filter inside the Logstash config file to filter Apache-Access log file. The log message looks like this: {"message":"00.00.0.000 - - [dd/mm/YYYY:hh:mm:ii +0000] \"GET /index.html HTTP/1.1\" 200 00"}.

On this moment I could only filter the client ip by using grok { match => [ "message", "%{IP:client_ip}" ] }.

I want to filter:

- The GET method, 
- requested page (index.html), 
- HTTP/1.1\, 
- server response 200
- the last number 00 after 200 inside the message body

Please note that none of these does not work for me : 

grok { match => { "message" => "%{COMBINEDAPACHELOG}" } }

or 

grok { match => [ "message", "%{COMBINEDAPACHELOG}" ] }

Answer

Garreth McDaid picture Garreth McDaid · Mar 12, 2014

Use the Grok Debugger to get an exact match on your log format. Its the only way.

http://grokdebug.herokuapp.com/

Related questions

How to handle non-matching Logstash grok filters

I am wondering what the best approach to take with my Logstash Grok filters. I have some filters that are for specific log entries, and won't apply to all entries. The ones that don't apply always generate _grokparsefailure tags. For …

Read More
Logstash replace @timestamp with syslog date

I'm a bit confused. I'm trying to pull out the syslog date (backfilling the logstash) and replace the @timestamp with it. I've tried almost everything. This is my filter filter { if [type] == "syslog" { grok { match => { "message" => ["%{SYSLOGTIMESTAMP:DATETIME} %{…

Read More
logstash: multiple logfiles with different pattern

We want to set up a server for logstash for a couple of different project in our company. Now I try to enable them in Kibana. My question is: If I have different patterns of the logfiles, how can I …

Read More