Highest Voted 'grok' Questions - Server Fault Stack Exchange

7

votes

4 answers

nginx error log Grok pattern

I am having trouble getting the following nginx error log message to parse in the grok debugger. I have a feeling there is a stupid trick that I should use but can't figure out what it may be. 2015/03/20 23:35:52 [error] 8#0: *10241823 testing…

asked Mar 21 '15 at 03:25

jmreicha

791
1
16
29

3

votes

0 answers

How to apply grok to logs from syslog in telegraf?

In my current setup I am using Telegraf to ingest nginx logs from syslog and spit them out into influxdb. This works great. Telegraf has support for grok log parsing. As far as I can tell it can be invoked for [[inputs.file]] and for…

syslog grok telegraf

asked Jun 28 '19 at 09:43

Lennart Rolland

173
1
8

2

votes

2 answers

Grok Issue with Multiple IP's in NginX Logstash

i've got an issue with logging from my webservers, which has an elb and then a varnish layer in front of nginx layer. varnish is setup properly for X-Forwarded-For and logs come through normally with the correct 'client.ip' being logged. however,…

nginx amazon-elb logstash grok

asked Sep 28 '15 at 04:01

geniestacks

65
1
2
7

1

vote

1 answer

ELK Logs from application disappearing when grok rules are enabled

We have two instances of an application (same application, different database), lets call them app1 and app2. The route the logs take is: appX runs filebeat, which picks up the applications log file tags it with appX, and sends each entry to an…

elasticsearch logstash grok

asked Oct 02 '18 at 11:35

GeoSword

1,647
12
16

1

vote

1 answer

Logtash grok / multiline confusion

My real patterns are more complex but I have tried to boil the problem down to the core issue. Something I don't understand. Please try this out on http://grokconstructor.appspot.com/do/match I'm trying to match the following lines: Start-Date:…

logstash grok

asked Aug 08 '17 at 09:30

spoovy

334
4
14

1

vote

1 answer

Logstash multiline codec for Java stacktraces

The logstash documentation indicates that you can collapse the multiple indented lines in a Java stacktrace log entry into a single event using the multiline codec: https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html input…

java logstash grok

asked Mar 16 '17 at 12:30

Garreth McDaid

3,399
26
41

1

vote

0 answers

Logstash syslog filter not applying to logs?

I'm looking through some syslog logs files in my ELK stack and noticed that all the syslog_severity fields are 'notice', when I can verify in the log files that they are not 'notice'. Seems like Logstash is defaulting syslog_severity to notice.…

syslog logstash filter elk grok

asked Feb 07 '17 at 22:57

Celi Manu

161
1
1
5

1

vote

1 answer

Logstash continued grokking after _grokparsefailure

Goodday, (using logstash 1.4.2) I'm trying to do something like: filter { if type == "feed" { grok { match => [ "message", "%{COMBINEDAPACHELOGS}" ] add_tag => [ "grokked", "web" ] tag_on_failure => [ "notweb" ] } } if type…

logstash grok

asked Mar 19 '15 at 12:40

Hevisko

11
3

1

vote

1 answer

Logstash Grok Pattern

First of all I apologize for this,I am pretty bad in regular-expression and try to wrote custom pattern(as I am unable to find something in existing grok pattern or may be I am missing something) for parsing svn logs which is in the format of…

logstash grok

asked Mar 04 '15 at 02:37

Prashant Lakhera

683
1
9
25

0

votes

1 answer

Grok filter for Cisco ASA

How can i get port from cisco ASA syslog using grok pattern. I have tried some methods and its not working . We are using graylog for collecting log data. Eg Log : %ASA-6-301014: Teardown TCP connection 1846898154 for Vodafone:107.23.89.178/443…

linux cisco syslog graylog grok

asked Apr 07 '19 at 11:07

James Arems

81
4

0

votes

3 answers

Logstash Grok Parsing Failed

I need to match this entry 2015/10/30 23:58:21 pid 22223 testuser@testserver.example.com 192.168.0.1 [p4/2012.2/LINUX26X86_64/536738] 'test-monitor show' To match this I wrote this Regex P4_DATE…

logstash regular-expressions grok

asked Dec 07 '16 at 02:04

Prashant Lakhera

683
1
9
25

0

votes

1 answer

Logstash Grok Filter

I'm sure there is a simple solution to this but I'm new to working Logstash. The filter I'm trying to apply is for some firewall logs and I have a field that will either have a single or two values separated by a…

firewall logging elasticsearch logstash grok

asked Jun 13 '16 at 07:43

user5038347

11
2

0

votes

0 answers

F5 High Speed Logging and Logstash GROK

Im trying to format logs straight from our F5 using HSL and Logstash. I've copied the example configuration exactly from the site as it contains the majority of the information I wanted logstash example My F5 is now outputting logs to my…

elasticsearch logstash f5-big-ip kibana grok

asked Feb 15 '16 at 09:34

Dan

138
2
11

0

votes

1 answer

Logstash grok match pattern not working even though grok constructor says it is okay

I've been building some grok patterns to parse the /var/log/secure log file and everything has been working fine. I create the grok patterns at http://grokconstructor.appspot.com/ and even then test them at http://grokdebug.herokuapp.com/ and both…

logstash grok

asked Jan 08 '16 at 14:50

OneTrueBob

11
1
3

0

votes

1 answer

Logstash is not processing MySQL logs correctly

As you can see, the message is not just the message, but also contains the date and timestamp. . . This is the MySQL Log: /var/log/mysql/error.log 150630 9:01:29 [Warning] Access denied for user 'test1'@'localhost' (using password: YES) 150630 …

elasticsearch logstash kibana grok

asked Jun 30 '15 at 09:26

ujjain

3,963
15
50
88

Questions tagged [grok]