Last active
August 29, 2015 14:18
-
-
Save PSJoshi/232b0dd80ad523fc45ee to your computer and use it in GitHub Desktop.
logstash grok parser for httpd and squid
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apache web server | |
| ================= | |
| Feb 18 13:42:48 www http_access: 120.61.15.50 - - [18/Feb/2015:13:42:48 +0530] "GET / HTTP/1.1" 200 31413 | |
| Feb 18 13:42:48 www http_access: 49.248.46.26 - - [18/Feb/2015:13:42:48 +0530] "GET /SpryAssets/SpryMenuBarDownHover.gif HTTP/1.1" 200 55 | |
| #%{MONTH}\ %{MONTHDAY}\ %{TIME}\ %{WORD:user}\ %{WORD:access}\: %{IP:ip} \- \- \[%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{NUMBER}\] "%{WORD:http_method} / %{WORD:http}/%{NUMBER:http_ver}" %{NUMBER:response_code} %{NUMBER:bytes} | |
| %{MONTH}\ %{MONTHDAY}\ %{TIME}\ %{WORD:user}\ %{WORD:access}\: %{IP:ip} \- \- \[%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{NUMBER}\] "%{WORD:http_method} %{URIPATH} %{WORD:http}/%{NUMBER:http_ver}" %{NUMBER:response_code} %{NUMBER:bytes} | |
| Squid | |
| ====== | |
| Feb 18 15:08:28 gan (squid-1): 1424252308.03513 52463 10.11.12.11 TCP_MISS/200 270 4213 CONNECT vins HIER_DIRECT/106.10.199.11 - in-mg61.mail.yahoo.com:443 | |
| Apr 1 17:24:54 gan (squid-1): 1428321294.059 2 10.1.2.10 TCP_DENIED/407 282 3832 GET msgan HIER_NONE/- text/html http://swupmf.adobe.com/manifest/50/win/reader8rdr-en_US.upd | |
| #%{MONTH}\ %{MONTHDAY}\ %{TIME}\ %{WORD:server} \(%{WORD:squid}-1\): %{NUMBER:timestamp} %{POSINT:bytes} %{IP:ip_addr} %{WORD:tcp_response}/%{INT:http_response} %{INT} %{INT} %{WORD:method} %{WORD:user_name} %{WORD:hier_method}/%{IP} %{USERNAME:file_type} %{GREEDYDATA} | |
| %{MONTH}\ %{MONTHDAY}\ %{TIME}\ %{WORD:server} \(%{WORD:squid}-1\): %{NUMBER:timestamp} %{POSINT:bytes} %{IP:ip_addr} %{WORD:tcp_response}/%{INT:http_response} %{INT} %{INT} %{WORD:method} %{WORD:user_name} %{WORD:hier_method}/%{USERNAME} %{WORD}/%{WORD} %{GREEDYDATA:url} | |
| snort openappid grok filter: | |
| ============================ | |
| statTime="1428925680",appName="amazon",txBytes="45553",rxBytes="52296" | |
| statTime="%{WORD:timestamp}",appName="%{WORD:appName}",txBytes="%{WORD:app_txBytes}",rxBytes="%{WORD:app_rxBytes}" | |
| Test grok filter using - http://grokdebug.herokuapp.com/ | |
| logstash patterns - https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment