Logstash Grok Filter Access Log

Question

Can someone help me with my grok filter?

The access log I want to parse is this one:

10.00.000.00 - - [08/Feb/2019:09:06:54 -0500] "GET /aft_ms_management_1/ms_manage HTTP/1.1" 404 1164

And the Grok pattern I'm trying is:

grok { match => [ "message", "%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:apache_timestamp}\] \"%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response} %{NUMBER:bytes}"] }

When I test the grok filter, I got the following error:

:error=>"end pattern with unmatched parenthesis:

But I don't see any parenthesis anywhere ... Thanks for your help

As additional information, I test my pattern with:

input { stdin { } } output { stdout { codec => rubydebug } }

filter {
    grok { 
    match => [ "message", "%{IP:client_ip} %{USER:ident} %{USER:auth} [%{HTTPDATE:apache_timestamp}] \"%{WORD:method} %{NOTSPACE:request_page} HTTP/%{NUMBER:http_version} %{NUMBER:server_response} %{NUMBER:bytes}" 
    ] 
 } }

With which tool are you testing? I have tried a couple of Grok testers and I am not being able to reproduce the error. Try input and pattern in this tool and post your result for example: grokconstructor.appspot.com/do/match. Or maybe the error is somewhere else... — Drubio

Kentatoi Kentatoi · Accepted Answer · 2019-03-13T16:48:16

  input { stdin {} }

filter {
   grok {
     match => { "message" => "%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:apache_timestamp}\] \"%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response} %{NUMBER:bytes}" }
        }
}

output { stdout { codec => rubydebug } }
~

Every go ! I found out how to give a better view. Here is my problem.. thanks

Logstash Grok Filter Access Log

1 Answers