0

I have got grok filter for my haproxy:

%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{HAPROXYCAPTUREDREQUESTHEADERS}\})?( )?(\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?( )?"%{WORD:http_verb} %{URIPATHPARAM:http_request}( HTTP/%{NUMBER:http_version}")?

This correct in online grok debugger but my logstash see failure and I can't see my date correctly..where is an error or strange value in this code?

Mateusz Chudy
  • 45
  • 1
  • 8
  • Can you share a sample log line? – Val Jan 14 '16 at 04:23
  • Jan 13 06:53:50 hhap haproxy[0000]: 192.168.1.1:50000 [13/Jan/2016:06:53:50.795] www-http statistic-back/apka01-3000 0/0/1/25/26 200 568 - - ---- 1/1/0/1/0 0/0 "POST /ver/cer HTTP/1.1" – Mateusz Chudy Jan 14 '16 at 10:01
  • You should use http://grokdebug.herokuapp.com/ (or similar) to debug your grok pattern with some sample log data. In your case, there are no matches because the third token `%{SYSLOGPROG}` does not match `haproxy[0000]:`. All the rest is fine. – Val Jan 14 '16 at 10:17

0 Answers0