how to add more filter or modify filter

pccwglobalit · Post by **pccwglobalit** » Fri Apr 29, 2016 3:57 am

we need to modify filter and add response on apache combined log. where and how can we do that? thanks.

Post by **eloyd** » Fri Apr 29, 2016 7:27 am

Filters can be found under Administration | Global Configuration.

hsmith · Post by **hsmith** » Fri Apr 29, 2016 9:11 am

Eric is right. Did you have anything specific you were trying to do?

pccwglobalit · Post by **pccwglobalit** » Tue May 03, 2016 3:56 am

we have added response time on apache combined log. that means we have a new log fomat combinedlog + %D. now we can see there is combinedlog in filter but we don't know how to add %D to log format.

hsmith · Post by **hsmith** » Tue May 03, 2016 9:24 am

I'm sorry, but I'm having a little trouble understanding what you're trying to accomplish. Do you think you could show me a screenshot of what you have, and then an example of what you want?

pccwglobalit · Post by **pccwglobalit** » Tue May 03, 2016 9:51 am

please check this article http://unicolet.blogspot.hk/2014/09/ind ... h-elk.html

LogFormat "%h %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" extendedcombined

in nagios log server, the combined log without %D

we want to change combined log as the following:
EXTENDEDAPACHELOG %{SYSLOGTIMESTAMP:timestamp} %{GREEDYDATA:source} %{IPORHOST:clientip} %{USER:ident} %{USER:auth} "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) "%{GREEDYDATA:referer}" "%{GREEDYDATA:agent}" %{NUMBER:responsetime}

that is we add %{NUMBER:responsetime} to combined format.

hsmith · Post by **hsmith** » Tue May 03, 2016 10:49 am

Can you show me one of the Apache logs that is coming in to your server after you modified your Apache host? This will assist with the filter creation process. (Please copy and paste from the message field on NLS on one of your apache logs)

Thanks!

pccwglobalit · Post by **pccwglobalit** » Thu May 05, 2016 10:44 am

192.168.99.145 - - [05/May/2016:00:02:03 +0000] "GET /healthCheck HTTP/1.1" 200 1 "-" "Java/1.7.0_79" "xxx.domin.com" "192.168.99.146" 45493

you can find the last column is response time.

hsmith · Post by **hsmith** » Thu May 05, 2016 10:59 am

Would you be willing to do a remote so we can look at this? It's likely this will take much less time to do over remote than over the forums.

Post by **eloyd** » Thu May 05, 2016 11:06 am

I'm pretty sure you can just add what you want to the existing grok filter.

Go to Administration | Global Configuration and click on the Apache filter. Then change:

Code: Select all

if [program] == 'apache_access' {
    grok {
        match => [ 'message', '%{COMBINEDAPACHELOG}']
    }
    date {
        match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
    }
    mutate {
        replace => [ 'type', 'apache_access' ]
         convert => [ 'bytes', 'integer' ]
         convert => [ 'response', 'integer' ]
    }
}

to

Code: Select all

if [program] == 'apache_access' {
    grok {
        match => [ 'message', '%{COMBINEDAPACHELOG} %{INT:responseTime}']
    }
    date {
        match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
    }
    mutate {
        replace => [ 'type', 'apache_access' ]
         convert => [ 'bytes', 'integer' ]
         convert => [ 'response', 'integer' ]
    }
}

Note the line that changed is the MATCH line for the GROK filter.

Nagios Support Forum

how to add more filter or modify filter

how to add more filter or modify filter

Re: how to add more filter or modify filter

Re: how to add more filter or modify filter

Re: how to add more filter or modify filter

Re: how to add more filter or modify filter

Re: how to add more filter or modify filter

Re: how to add more filter or modify filter

Re: how to add more filter or modify filter

Re: how to add more filter or modify filter

Re: how to add more filter or modify filter