gpilla/11-apache-filter.conf

## 11-apache-filter.conf
filter {
  if [type] == "apache_access" {
    grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
    date {
      match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
    }
  }
}

filter {
  if [type] == "apache_error" {
    grok {
        match => { "message" => "\[%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}\] \[:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{POSINT:clientport}\])? PHP %{DATA:php_error_level}: %{DATA:php_error} in %{DATA:php_file} on line %{POSINT:php_line}" }
    }
    grok {
        match => { "message" => "\[%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}\] \[:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{POSINT:clientport}\])? %{GREEDYDATA:message}" }
    }
  }
}
	filter {
	if [type] == "apache_access" {
	grok {
	match => { "message" => "%{COMBINEDAPACHELOG}" }
	}
	date {
	match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
	}
	}
	}

	filter {
	if [type] == "apache_error" {
	grok {
	match => { "message" => "\[%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}\] \[:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{POSINT:clientport}\])? PHP %{DATA:php_error_level}: %{DATA:php_error} in %{DATA:php_file} on line %{POSINT:php_line}" }
	}
	grok {
	match => { "message" => "\[%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}\] \[:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_errormessage}:)?( \[client %{IPORHOST:client}:%{POSINT:clientport}\])? %{GREEDYDATA:message}" }
	}
	}
	}