- We are attempting to resolve problem where data hasn't been assigned the correct source type.
- We have attempted to resolve this by performing search time field extractions but nothing seems to work.
- The sourcetype has been identified as: www_website_com_au_access_log-2
- The source is: /var/log/httpd/www_website_com_au_access_log
- In props.conf I have tried:
- I have tried:
- I have tried:
- TRANSFORMS-fix_ae = fix_access_extractions
- With the complementing transforms.conf
- matches access-common or access-combined apache logging formats
- Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars)
- Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"
- REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]
- FORMAT = sourcetype::access_common
- DEST_KEY = MetaData:Sourcetype
- Yet when I do a search on source=/var/log/httpd/www_website_com_au_access_log
- The fields are still useless and no useful fields are returned.
- Thanks in advance
- SAMPLE DATA:
- 192.168.x.x (192.168.x.x) www.website.com - - [23/May/2013:17:05:44 +8000] "GET /images/external/website_logo.png HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2; MSOffice 12)" 21832 TLSv1 AES128-SHA
a guest May 23rd, 2013 9 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
RAW Paste Data