Created
January 4, 2017 08:17
-
-
Save konstan/45fcd0e29996ef401939b97590a97317 to your computer and use it in GitHub Desktop.
Grok pattern for Restlet log to be used with logstash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Grok pattern for Restlet log entry. Only for the first 14 fields. | |
# | |
# 1. Date (YYYY-MM-DD) | |
# 2. Time (HH:MM:SS) | |
# 3. Client address (IP) | |
# 4. Remote user identifier (see RFC 1413) | |
# 5. Server address (IP) | |
# 6. Server port | |
# 7. Method (GET|POST|...) | |
# 8. Resource reference path (including the leading slash) | |
# 9. Resource reference query (excluding the leading question mark) | |
# 10. Response status code | |
# 11. Number of bytes sent | |
# 12. Number of bytes received | |
# 13. Time to serve the request (in milliseconds) | |
# 14. Host reference | |
# 15. Client agent name | |
# 16. Referrer reference | |
# Pattern: | |
%{RESTLET_DATE:date}\s+%{TIME:time}\s+%{IP:remote-ip}\s+%{USER:remote-user-id}\s+%{IP:server-ip}\s+%{POSINT:server-port}\s+%{WORD:method}\s+%{URIPATH:resource}\s+%{RESTLET_URIPARAM:query}\s+%{NUMBER:status}\s+%{NUMBER:bytes-sent}\s+%{NUMBER:bytes-received}\s+%{NUMBER:response-time}\s+%{URI:host-ref} | |
# Additional patterns: | |
RESTLET_DATE %{YEAR}-%{MONTHNUM}-%{MONTHDAY} | |
RESTLET_URIPARAM [A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\-\[\]]* | |
# For validation go to http://grokconstructor.appspot.com/do/match | |
# Use this log entry for validation | |
2017-01-03 10:33:06 127.0.0.1 - 127.0.0.1 80 GET /run/foo/bar/baz abc=&offset=0&limit=20&cde=&activeOnly=1 200 55572 0 2382 http://192.168.40.119 Mozilla/XXX (Macintosh; Intel Mac OS X YYY) AppleWebKit/XXX (KHTML, like Gecko) Chrome/XXX Safari/XXX https://192.168.40.119/resource | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment