Page 1 of 1
apache log combined log
Posted: Sun Jun 12, 2016 11:53 pm
by pccwglobalit
the below is our apache combined log
"%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Host}i\" \"%{X-Forwarded-For}i\" %D"
the original combined log without \"%{Host}i\" \"%{X-Forwarded-For}i\" %D
how can i add filter in logstash so that i can see the three parameters.
Host is ip or hostname
X-Forwarded-For is ip
%D is response time and it is INT
thanks.
Re: apache log combined log
Posted: Mon Jun 13, 2016 1:00 pm
by hsmith
Can you please show me the entire grok filter?
Re: apache log combined log
Posted: Mon Jun 13, 2016 10:38 pm
by pccwglobalit
if [program] == 'apache_access' {
grok {
match => [ 'message', '%{COMBINEDAPACHELOG} %{INT:responseTime}']
}
date {
match => [ 'timestamp', 'dd/MMM/yyyy:HH:mm:ss Z' ]
}
mutate {
replace => [ 'type', 'apache_access' ]
convert => [ 'bytes', 'integer' ]
convert => [ 'response', 'integer' ]
}
}
if [program] == 'apache_error' {
grok {
match => [ 'message', '\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}']
}
mutate {
replace => [ 'type', 'apache_error' ]
}
}
Re: apache log combined log
Posted: Tue Jun 14, 2016 12:30 pm
by hsmith
All right, thanks for posting that.
I'm still a little bit confused about exactly what you're trying to achieve.
pccwglobalit wrote:how can i add filter in logstash so that i can see the three parameters.
Host is ip or hostname
X-Forwarded-For is ip
%D is response time and it is INT
You want these to show up as a field in your log?
Re: apache log combined log
Posted: Thu Jun 16, 2016 3:10 am
by pccwglobalit
yes, i want show host and x-forward-for
Re: apache log combined log
Posted: Thu Jun 16, 2016 1:51 pm
by hsmith
I want to see exactly what is happening. I think we'll resolve this one faster if we do a remote session.
Please send a ticket in to
[email protected]. I will take ownership of the ticket, and we can schedule a remote.
Thanks!