Greetings,
There are archived Apache log files on a Windows machine that need to be passed to Logstash for parsing; however, I'm not having any success in doing so. The nxlog client is installed on the Windows machine hosting the archived apache logs and I've edited the windows nxlog.conf file as follows:
....
#
<Input apache-access>
Module im_file
File 'c:\ApacheLogs\request.*'
SavePos TRUE
Exec $Message = $raw_event;
</Input>
#
...
<Output out>
Module om_tcp
Host xxx.xxx.xxx.xxx
Port 3515
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();
</Output>
...
#
<Route 1>
Path internal, file1, apache-access, eventlog => out
</Route>
On the Nagios Log Server I've created the following filter:
filter {
if [type] == "apache-access" {
grok {
match => ['message', '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)' ]
}
}
}
Can you please tell me what I'm doing wrong. Thanks in advance
Apache Log Files on Windows
Re: Apache Log Files on Windows
Assuming the issue is that you can't see the logs when you query, the first step would be to run tcpdump to see if the logs are even hitting the Nagios Logserver machine:
Replace the XXX with the IP of the Windows machine and let it run for a bit, making sure to do some actions like visiting a web page hosted there so as to trigger the logs being written. If nothing shows up on the tcpdump, we know nothing is being sent. At that point we can start to look at firewalls, ensure the nxlog agent is running, etc.
Code: Select all
tcpdump src XXX.XXX.XXX.XXX and dst port 3515
Former Nagios employee