Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 444.111.222.333 - - [20/Jan/2015:08:35:48 -0500] 980 "GET /MyWAR/js/dojo-release-1.8.0/dijit/form/DataList.js HTTP/1.1" 200 428 "https://mysite.com/MyWAR/servlet!showPage.action" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)" "__utma=127050719.1634544798.1421250027.1421692895.1421696677.12; __utmz=127050719.1421696677.12.7.utmcsr=mysite.com|utmccn=(referral)|utmcmd=referral|utmcct=/home/home.asp; JSESSIONID=0001s_1Rxm0yvfqcNeoG8g-01v8:12NIHRT8DI; SSO=; SESSIONID=%14%2D%5B%2EYZ%2A%29X%2D%2EVV%5B%2CV%29%2DV%29%5F%2B%2AV%5CZ%2EV%5B%5D%5F%2C%2A%12; SESSEC=bXpZfqe4Vcl"
- %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] %{NUMBER:time_taken} (?:%{WORD:verb} %{NOTSPACE:request}(?:HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest}) %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}
- input {
- file {
- type => "apache"
- path => "/esearch/zlinux/input-logs/httpd-log.*"
- format => "plain"
- }
- }
- filter {
- #ignore log comments
- if [message] =~ "^#" {
- drop {}
- }
- grok {
- # check that fields match your Apache Web log settings
- match => ["message", "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] %{NUMBER:time_taken} (?:%{WORD:verb} %{NOTSPACE:request}(?:HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest}) %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}"]
- }
- #Set the Event Timesteamp from the log
- date {
- match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
- timezone => "Etc/UCT"
- }
- if [clientip] {
- geoip {
- database => "./vendor/geoip/GeoLiteCity.dat"
- source => "clientip"
- target => "geoip"
- add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
- add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
- }
- mutate {
- convert => [ "[geoip][coordinates]", "float" ]
- }
- }
- useragent {
- source=> "useragent"
- prefix=> "browser"
- }
- mutate {
- remove_field => [ "timestamp"]
- }
- }
- output {
- elasticsearch {
- host => "127.0.0.1"
- protocol => "http"
- index => "logstash-zlinux-%{+YYYY.MM.dd}"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement