Code: Select all
[190.41.191.6, 10.1.0.6] - - [20/Nov/2014:10:17:25 -0500] "GET /dy/v2/widget/projects.html?projectIds=7887&ggtid=4F81C017B6215C3B9C5080352E974EFC&callback=cfisjzvnqcqerqtu.p[0] HTTP/1.1" 200 373 0 "http://gruporedes.org/trabajo-infantil-domestico/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
Code: Select all
LogFormat "[%{X-Forwarded-For}i] %l %u %t \"%r\" %>s %b %T \"%{Referer}i\" \"%{User-Agent}i\"" proxy
Code: Select all
if [program] == 'apache_access' {
grok {
match => [ 'message', '\[%{IPORHOST:clientip}(?:, %{NOTSPACE:clientiptoo}){0,1}\] %{USER:ident} %{NOTSPACE:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{NUMBER:servetime} %{QS:referrer} %{QS:agent}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
Code: Select all
{
"_index": "logstash-2014.11.20",
"_type": "apache_access",
"_id": "CwDvEJbgTQCOJ_Kv6vNovw",
"_score": null,
"_source": {
"message": "[24.91.195.10, 10.1.0.6] - - [20/Nov/2014:10:28:26 -0500] \"GET /dy/v2/pe/manage/donations.html?project.projId=16721 HTTP/1.1\" 200 15952 0 \"https://www.globalgiving.org/dy/v2/pe/dashboard/overview.html\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25\"",
"@version": "1",
"@timestamp": "2014-11-20T15:28:31.000Z",
"type": "apache_access",
"host": "10.1.0.100",
"priority": 133,
"timestamp": "Nov 20 10:28:31",
"logsource": "tibet",
"program": "apache_access",
"severity": 5,
"facility": 16,
"facility_label": "local0",
"severity_label": "Notice",
"tags": [
"_grokparsefailure"
]
},
"sort": [
1416497311000,
1416497311000
]
}
I made the edit to apply my custom grok pattern under "Global Configuration", and edited the existing "Apache (default)" filter. Then clicked "Save & Apply", then clicked "Apply" on the next screen. I have also run the "Verify" and it shows everything is ok with the config. Any suggestions on what I should do?