Grok pattern for logs sent to logstash

Question

I have haproxy logs that need to be sent to logstash, I am trying to grok the captured request headers. Can you please suggest the grok pattern?

Here is section of log that has the Referrer|User-Agent|X-Forwarded-For|True-Client-IP

{https://my-dev.mysite.com/|Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36|161.987.654.321, 122.486.243.921, 21.103.137.111|161.987.654.321}

I am new Grok patterns so need your help

Wookiee · Answer 1 · 2017-01-19T08:01:09.753

0

You can use this one:

{%{URI:referrer}\|%{GREEDYDATA:user-agent}\|%{DATA:x-forwarded-for}\|%{IP:ip}}

It will work if you use real IPs.

edited Jan 19 '17 at 08:01

answered Jan 18 '17 at 19:53

Wookiee

139
2
12

Almost got it working. Thanks for your help. Here is followup question ... How to remove the IP4 & IP6 ? I aslo wanted to rename 'x' with x-forwarded-for & 'ip' with True-Client-IP. Thanks again for your help – NewGrokker Jan 18 '17 at 20:11
You can use %{IPV4:TrueClientIP} instead of %{IP:TrueClientIP}. If I could help you, please accept my anwser. – Wookiee Jan 19 '17 at 05:38

score 0 · Answer 2 · answered Jan 18 '17 at 20:24

0

This worked for me ...

  {%{DATA:referrer}\|%{GREEDYDATA:user-agent}\|%{DATA:XForwardedFor}\|%{IP:TrueClientIP}}

answered Jan 18 '17 at 20:24

NewGrokker

1

Grok pattern for logs sent to logstash

2 Answers2