We received this kind of message
"_source": {
"message": "[22/Sep/2015:10:20:03 +0200] 10.0.22.48 TLSv1 AES256-SHA \"GET / HTTP/1.1\" 222 0 158\n",
"@version": "1",
"@timestamp": "2015-09-22T08:20:13.000Z",
"type": "syslog",
"host": "w.x.y.z",
"priority": 133,
"timestamp": "Sep 22 10:20:13",
"logsource": "lsliamv06",
"program": "httpd_1_ssl_request_log",
"severity": 5,
"facility": 16,
"facility_label": "local0",
"severity_label": "Notice"
}
We put this filter :
if [program] == 'httpd_1_ssl_access_log' {
grok {
match => [ 'message', '%{COMBINEDAPACHELOG}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
if [program] == 'httpd_1_ssl_error_log' {
grok {
match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
}
mutate {
replace => [ 'type', 'apache_error' ]
}
}
But It seems it don't work because the field type haven't apache_access or apache_error even we could find entry with field program contains httpd_1_ssl_access_log or httpd_1_ssl_error_log
Of course we save and apply configuration
Any clues ?
Thanks in advance
Yves
Tranform message with filter
Re: Tranform message with filter
I would like to see some more logs of yours so that I may test what could be going on with your filter. Could you please provide 1-2 more logs for me to take a look at? Thanks!