127.0.0.1 - - [21/May/2016:13:43:37 +0200] "GET /images/example.png HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0" "-"
It's an Apache log and grok has a pattern dedicated to that which is called COMBINEDAPACHELOG. So your grok can be defined like this:
grok {
match => {"message" => "%{COMBINEDAPACHELOG}"}
}
You'll get an event like this:
{
"message" => "127.0.0.1 - - [21/May/2016:13:43:37 +0200] \"GET /images/example.png HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0\" \"-\"",
"@version" => "1",
"@timestamp" => "2016-05-23T07:43:53.439Z",
"host" => "iMac.local",
"clientip" => "127.0.0.1",
"ident" => "-",
"auth" => "-",
"timestamp" => "21/May/2016:13:43:37 +0200",
"verb" => "GET",
"request" => "/images/example.png",
"httpversion" => "1.1",
"response" => "304",
"bytes" => "0",
"referrer" => "\"-\"",
"agent" => "\"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0\""
}