Using the Grok Debugger to Test Logstash Filter for Apache Errors

Question

Using the Grok Debugger to Test Logstash Filter for Apache Errors

I am trying to understand the use of grok to filter my apache error logs.

My error log file looks like this:

[Thu Feb 27 13:22:44 2014] [error] [client 10.110.64.71] script not found or unable to stat: /var/www/cgi-bin/php4

How can I use grok to filter this? I'm so far away:

filter {
  grok {
    type => "apache-error"
    pattern => "\[%{HTTPDATE:timestamp}\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}"
  }
}

I tried using the Grok Debugger , but I barely have an idea what I'm doing. I am literally new to logstash.

+4

grok logstash

Gabriel Feb 27 '14 at 19:22

source share

1 answer

Rujuta · Answer 1 · 2014-04-10T06:58:33+0000

Thus, you can use the grok debugger application:

grok, "". , , - , , . ( JSON, , )

Grok - , . :

Input:  [Thu Feb 27 13:22:44 2014] [error] [client 10.110.64.71] script not found or unable to stat: /var/www/cgi-bin/php4

Your_Pattern: \[%{HTTPDATE:timestamp}\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}

" ". , HTTPDATE :% {MONTHDAY}/% {MONTH}/% {YEAR}:% {TIME}% {INT}, .

, , . . regex . , .

:

\[(?<timestamp>%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME} %{YEAR})\] \[%{WORD:class}\] \[%{WORD:originator} %{IP:clientip}\] %{GREEDYDATA:errmsg}

grok% {DAY: day}% {MONTH: month}% {MONTHDAY}% {TIME}% {YEAR} . :

(?<new_name>regular expression / grok).

post groks.

Using the Grok Debugger to Test Logstash Filter for Apache Errors

More articles: