logstash errors on timestamp format

mike4vr · Post by **mike4vr** » Fri Mar 04, 2016 1:51 pm

We keep seeing massive amounts of errors in the logstash log complaining about the timestamp format:

{:timestamp=>"2016-03-04T10:45:56.256000-0800", :message=>"Failed parsing date from field", :field=>"timestamp", :value=>"Mar  4 10:45:56", :exception=>java.lang.IllegalArgumentException: Invalid format: "Mar  4 10:45:56", :level=>:warn}

I'm guessing this is apache errors. Looking at our filter configuration, I have the following:

Code: Select all

if [program] == 'apache_access' {
    grok {
        match => [ 'message', '%{COMBINEDAPACHELOG}']
    }
    date {
        match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
    }
    mutate {
        replace => [ 'type', 'apache_access' ]
         convert => [ 'bytes', 'integer' ]
         convert => [ 'response', 'integer' ]
    }
}
 
if [program] == 'apache_error' {
    grok {
        match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
    }
    mutate {
        replace => [ 'type', 'apache_error' ]
    }
}

To me, the timestamp *looks* correct, but I am not totally sure. Is there a way to verify this? Or am I totally off?

hsmith · Post by **hsmith** » Fri Mar 04, 2016 2:08 pm

What kind of input is it? If it's coming in as a 'syslog' input, it may need to be changed.

mike4vr · Post by **mike4vr** » Fri Mar 04, 2016 2:19 pm

hsmith wrote:What kind of input is it? If it's coming in as a 'syslog' input, it may need to be changed.

Good question, how do I find out what kind of input it is? The above error I pasted is exactly what I see scrolling through logstash.log

hsmith · Post by **hsmith** » Fri Mar 04, 2016 2:42 pm

Would you be interested in doing a remote for this on Monday? If so, please send in a ticket to [email protected]. I'll take ownership of the ticket and give you my link to sign up for a remote. I feel like it may be quicker to resolve over remote than going back and forth on here.

mike4vr · Post by **mike4vr** » Fri Mar 04, 2016 3:49 pm

hsmith wrote:Would you be interested in doing a remote for this on Monday? If so, please send in a ticket to [email protected]. I'll take ownership of the ticket and give you my link to sign up for a remote. I feel like it may be quicker to resolve over remote than going back and forth on here.

Sure, email sent. Thanks.

jolson · Post by **jolson** » Mon Mar 07, 2016 11:23 am

Mike,

I see your ticket in our system - I'll close this thread out for now. Thanks!

Nagios Support Forum

logstash errors on timestamp format

logstash errors on timestamp format

Re: logstash errors on timestamp format

Re: logstash errors on timestamp format

Re: logstash errors on timestamp format

Re: logstash errors on timestamp format

Re: logstash errors on timestamp format