Skip to content

Instantly share code, notes, and snippets.

@titogeorge

titogeorge/LogStash config for ELB logs

Created March 10, 2015 12:33
Show Gist options
  • Save titogeorge/cdb217177a91dc79a7d3 to your computer and use it in GitHub Desktop.
Save titogeorge/cdb217177a91dc79a7d3 to your computer and use it in GitHub Desktop.
Download ZIP
Logstash AWS Elasticbeanstalk access logs pattern
Raw
LogStash config for ELB logs
if [type] == 'elb-access-log' {
grok {
patterns_dir => "./patterns"
# Different elastic-access-log patterns. look for _grokfailure tag in kibana and keep adding patterns here.
match => [ "message" , [
"%{IPORHOST:elbIp} \(%{IPORHOST:clientIp}, %{IPORHOST:elbip1}\) - - \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} %{NUMBER:bytes} %{QS:referrer} %{QS:agent}",
"%{IPORHOST:elbIp} \(%{IPORHOST:clientIp}, %{IPORHOST:elbip1}\) - - \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} - \"-\" %{QS:agent}",
"%{IPORHOST:elbIp} \(%{IPORHOST:clientIp}, %{IPORHOST:elbip1}\) - - \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} %{NUMBER:bytes} \"-\" %{QS:agent}",
"%{IPORHOST:elbIp} \(%{IPORHOST:clientIp}, %{IPORHOST:clientIp1}, %{IPORHOST:elbip1}\) - - \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} %{NUMBER:bytes} %{QS:referrer} %{QS:agent}",
"%{IPORHOST:elbIp} \(%{IPORHOST:clientIp}, %{IPORHOST:elbip1}\) - - \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} - %{QS:referrer} %{QS:agent}",
"%{IPORHOST:elbIp} \(%{IPORHOST:elbip1}\) - - \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} %{NUMBER:bytes} %{QS:referrer} %{QS:agent}",
"%{WORD:unknown_data_1} \(-\) - - \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{DATA:unknown_data_2} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} - \"-\" %{QS:agent}",
"%{IPORHOST:elbIp} \(%{IPORHOST:clientIp}, %{IPORHOST:clientIp1}, %{IPORHOST:elbip1}\) - - \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} - \"-\" %{QS:agent}",
"%{IPORHOST:elbIp} \(, %{IPORHOST:clientIp1}, %{IPORHOST:elbip1}\) - - \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} - \"-\" %{QS:agent}",
"%{IPORHOST:elbIp} \(%{IPORHOST:clientIp}, %{IPORHOST:clientIp1}, %{IPORHOST:elbip1}\) - - \[%{HTTPDATE:timestamp}\] \"%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response} - %{QS:referrer} %{QS:agent}"
]
]
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "clientIp"
target => "geoip"
add_tag => ['ip_processed']
add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"]
add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"]
}
mutate {
convert => ["[geoip][coordinates]", "float" ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment