0

OK, so I am in need of some help in figuring out why Logstash is giving me a parse error when I have tested it on the Grok Debugger. This has to do with a custom log from Apache.

Below is the raw log entry:

57.85.212.139 tst.testing.com [13/Mar/2015:10:10:55 -0600] "POST /app/cp/authenticate/updateLog HTTP/1.1" 200 444 195268 "-" "-"

Here is the Grok pattern:

(%{IP:clientip}|-) %{HOSTNAME:host} \[%{HTTPDATE:timestamp}\] "((?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion}))|-)" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{NUMBER:duration} "(%{DATA:referer}|-)" "(%{DATA:useragent}|-)"

Below is the error from Logstash:

{"tags":["_grokparsefailure"],"@version":1,"@timestamp":"2015-03-13T16:10:55.650Z","host":"EOA-ELB-TEST","file":"/var/log/apache2/access.log","message":"57.85.212.139 tst.testing.com [13/Mar/2015:10:10:55 -0600] \"POST /app/cp/authenticate/updateLog HTTP/1.1\" 200 444 216340 \"-\" \...

This makes no sense to me. Why would it pass on the validator but fail in Logstash?

Any help would be greatly appreciated.

Thanks!

baudsp
  • 4,076
  • 1
  • 17
  • 35
thiesdiggity
  • 1,897
  • 2
  • 18
  • 27
  • Is that the only grok{} in your config? Could it be that the other one is throwing the error? Check out tag_on_failure. – Alain Collins Mar 15 '15 at 16:23
  • Are you escaping the double quotes in your Logstash configuration? Because the expression works fine when I insert it into a Logstash configuration and escape the double quotes. Editing your post to include the actual configuration would be helpful. – Magnus Bäck Mar 16 '15 at 07:44

0 Answers0