Page 1 of 1
Filter not working (Windows, im_file, acces.log)
Posted: Thu Feb 12, 2015 5:14 am
by McCriddle
Hi,
we are evaluation NLS right now.
After testing a few logs on a single server (using the vSphere OVF Template 2015r1.2), we moved now to a cluster / manual installation setup 2015r1.2b.
We import some Apache access.logs (custom format) from a Windows machine via nxlog.
The events get imported but NLS doesn't apply filters.
Example: (the exact same messages and filters are working on our single test machine)
Code: Select all
if 'apache_access_myformat' in [SourceModuleName] {
grok {
match => [ 'message', '%{IPORHOST:clientip}\|%{IPORHOST:hostip}\|%{USER:auth}\|\[%{HTTPDATE:timestamp}\]\|%{WORD:verb}\|%{GREEDYDATA:request}\|%{NUMBER:response}\|%{USER:bytes}\|%{QS:referrer}\|%{QS:agent}\|%{IPORHOST:vhost}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
Code: Select all
{
"_index": "logstash-2015.02.12",
"_type": "eventlog",
"_id": "F9nXsdJMS3aoxyE9tvvNVg",
"_score": null,
"_source": {
"EventReceivedTime": "2015-02-12 10:57:53",
"SourceModuleName": "apache_access_myformat_app",
"SourceModuleType": "im_file",
"message": "10.2.102.8|192.168.131.185|-|[12/Feb/2015:10:57:52 +0100]|GET|/someFolder/|200|4|\"-\"|\"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\"|our.vhost.local",
"@version": "1",
"@timestamp": "2015-02-12T09:57:53.683Z",
"host": "192.168.131.185",
"type": "eventlog"
},
"sort": [
1423735073683,
1423735073683
]
}
Thanks in advance for any ideas.
Mike
Filter not working
Posted: Thu Feb 12, 2015 5:28 am
by McCriddle
Hi,
we are trying to move from a single NLS test setup (via OVF 2015r1.2) to a cluster setup (manual installation 2015r1.2b).
Right now we got the problem that NLS doesn't apply the filters and just saves the events as they "arrive".
Example: (the exact same messages and filters work on our test setup)
Code: Select all
if 'apache_access_myformat' in [SourceModuleName] {
grok {
match => [ 'message', '%{IPORHOST:clientip}\|%{IPORHOST:hostip}\|%{USER:auth}\|\[%{HTTPDATE:timestamp}\]\|%{WORD:verb}\|%{GREEDYDATA:request}\|%{NUMBER:response}\|%{USER:bytes}\|%{QS:referrer}\|%{QS:agent}\|%{IPORHOST:vhost}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
Code: Select all
{
"_index": "logstash-2015.02.12",
"_type": "eventlog",
"_id": "TJbTV-XmTluJyLFNrR3z8w",
"_score": null,
"_source": {
"EventReceivedTime": "2015-02-12 11:18:54",
"SourceModuleName": "apache_access_myformat_app",
"SourceModuleType": "im_file",
"message": "10.2.102.8|192.168.85.86|-|[12/Feb/2015:11:18:53 +0100]|GET|/customer/|200|2135|\"-\"|\"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\"|my.vhost.local",
"@version": "1",
"@timestamp": "2015-02-12T10:18:54.662Z",
"host": "192.168.85.86",
"type": "eventlog"
},
"sort": [
1423736334662,
1423736334662
]
}
Thanks in advance for any suggestions.
Mike
Re: Filter not working (Windows, im_file, acces.log)
Posted: Thu Feb 12, 2015 9:17 am
by scottwilkerson
Your filter is wrapped in
Code: Select all
if 'apache_access_myformat' in [SourceModuleName]
However the item received is
Code: Select all
"SourceModuleName": "apache_access_myformat_app",
So the filter is not being applied.
Re: Filter not working (Windows, im_file, acces.log)
Posted: Thu Feb 12, 2015 9:46 am
by McCriddle
scottwilkerson wrote:Your filter is wrapped in
Code: Select all
if 'apache_access_myformat' in [SourceModuleName]
However the item received is
Code: Select all
"SourceModuleName": "apache_access_myformat_app",
So the filter is not being applied.
Yeah, but it should be applied as 'apache_access_myformat' is in "apache_access_myformat_app"
and the same filter is working fine in the singe 2015R1.2 NLS
Re: Filter not working (Windows, im_file, acces.log)
Posted: Fri Feb 13, 2015 3:06 am
by McCriddle
okay,
update on this one: it's working as expected without any change.
seems NLS just need a night untill it took the configuration.
Re: Filter not working (Windows, im_file, acces.log)
Posted: Fri Feb 13, 2015 10:25 am
by scottwilkerson
Glad it's working.
McCriddle wrote:okay,
update on this one: it's working as expected without any change.
seems NLS just need a night untill it took the configuration.
The "in" conditional means it is in the list of all possible values for [SourceModuleName], you could accomplish what you originally intended using a wildcard with a *, such as
Code: Select all
if 'apache_access_myformat*' in [SourceModuleName]
Re: Filter not working (Windows, im_file, acces.log)
Posted: Tue Feb 24, 2015 4:26 am
by McCriddle
Hi again,
unfortunately our filters still ain't working as expected.
they don't seem to be triggered reliable.
events of the same type from another host get filtered correctly. (and i expect that these examples eventually get filtered correctly after a while without further action)
Anybody has a hint what might be wrong in our setup?
thanks in advance
Mike
here is an example event:
Code: Select all
{
"_index": "logstash-2015.02.24",
"_type": "eventlog",
"_id": "GQkKhvz0Qhu3I6swxsQ2qA",
"_score": null,
"_source": {
"EventReceivedTime": "2015-02-24 10:15:16",
"SourceModuleName": "apache_access_custom_asp",
"SourceModuleType": "im_file",
"message": "1.2.3.4|192.168.131.186|-|[24/Feb/2015:10:15:16 +0100]|GET|/somerequest|200|32178|\"-\"|\"Java/1.7.0_55\"|my.vhost.local",
"@version": "1",
"@timestamp": "2015-02-24T09:15:16.855Z",
"host": "192.168.131.186",
"type": "eventlog"
},
"sort": [
1424769316855,
1424769316855
]
}
here is our complete filter:
Code: Select all
#
# Logstash Configuration File
# Dynamically created by Nagios Log Server
#
# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.
#
# Created Tue, 24 Feb 2015 10:19:09 +0100
#
#
# Global filters
#
filter {
if [program] == 'apache_access' {
grok {
match => [ 'message', '%{COMBINEDAPACHELOG}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
if 'apache_access_common' in [SourceModuleName] {
grok {
match => [ 'message', '%{COMMONAPACHELOG}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
if [SourceModuleName] == 'apache_access_custom_app' {
grok {
break_on_match => false
match => [ 'message', '%{IPORHOST:clientip}\|%{IPORHOST:hostip}\|%{USER:auth}\|\[%{HTTPDATE:timestamp}\]\|%{WORD:verb}\|%{GREEDYDATA:request}\|%{NUMBER:response}\|%{USER:bytes}\|%{QS:referrer}\|%{QS:agent}\|%{IPORHOST:vhost}']
match => [ 'request', '/%{WORD:directory}/%{GREEDYDATA}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
geoip {
source => 'clientip'
}
}
if [SourceModuleName] == 'apache_access_custom_asp' {
grok {
break_on_match => false
match => [ 'message', '%{IPORHOST:clientip}\|%{IPORHOST:hostip}\|%{USER:auth}\|\[%{HTTPDATE:timestamp}\]\|%{WORD:verb}\|%{GREEDYDATA:request}\|%{NUMBER:response}\|%{USER:bytes}\|%{QS:referrer}\|%{QS:agent}\|%{IPORHOST:vhost}']
match => [ 'request', '/%{WORD:directory}/%{GREEDYDATA}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
geoip {
source => 'clientip'
}
}
if 'apache_error' in [SourceModuleName] {
grok {
match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] %{GREEDYDATA:errmsg}']
}
date {
match => [ 'timestamp', 'EEE MMM dd HH:mm:ss.SSSSSS yyyy' ]
}
mutate {
replace => [ 'type', 'apache_error' ]
}
}
if [SourceModuleType] == 'im_mseventlog' {
mutate {
add_field => [ 'Channel', '%{FileName}' ]
}
}
}
#
# Local filters
#
Re: Filter not working (Windows, im_file, acces.log)
Posted: Wed Feb 25, 2015 8:38 am
by scottwilkerson
I'm not 100% sure what you are going for, but I have a feeling you want to perform a second grok match if the request field contains a word. I believe this would be the correct way to do that
Code: Select all
if [SourceModuleName] == 'apache_access_custom_asp' {
grok {
match => [ 'message', '%{IPORHOST:clientip}\|%{IPORHOST:hostip}\|%{USER:auth}\|\[%{HTTPDATE:timestamp}\]\|%{WORD:verb}\|%{GREEDYDATA:request}\|%{NUMBER:response}\|%{USER:bytes}\|%{QS:referrer}\|%{QS:agent}\|%{IPORHOST:vhost}']
}
grok {
match => [ 'request', '/%{WORD:directory}/%{GREEDYDATA}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
geoip {
source => 'clientip'
}
}
Re: Filter not working (Windows, im_file, acces.log)
Posted: Mon Mar 02, 2015 4:23 am
by McCriddle
thanks for your reply.
the problem wasn't the filter, but our instances in the NLS-cluster were not processing the events identically. When sent to "server1" the filter worked right, on "server2" didn't get applied at all.
I re-setup NLS with a single instance and don't have these problems anymore. (yet)
We will work out our filters on a single instance now and look into the cluster setup later on.
regards
Mike
Re: Filter not working (Windows, im_file, acces.log)
Posted: Mon Mar 02, 2015 9:09 am
by scottwilkerson
Glad it is working on the new setup.