I am a newbie to logstash / grok patterns.
In my logfile i have a line in this format as below:
::ffff:172.19.7.180 - - [10/Oct/2016:06:40:26 +0000] 1 "GET /authenticator/users HTTP/1.1" 200 7369
When I try to use a simple IP pattern matching %{IP}, using grok constructor, it shows only partial match:
after match: .19.7.180 - - [10/Oct/2016:06:33:58 +0000] 1 "POST /authenticator/searchUsers HTTP/1.1" 200 280
So, only a part of the ip address matched, as the portion 'after match' still shows remaining portion of ip address.
Queries: 1. What is this format of IP address ::ffff:172.19.7.180? 2. How to resolve this issue, to ensure IP address is correctly parsed?
BTW, I am using nodejs middleware morgan logger, which is printing IP address in this format.
Note that the log contains both IPv4 and IPv6 addresses separated by a colon, so the correct pattern you need to use is the following one:
%{IPV6:ipv6}:%{IPV4:ipv4}
Then in your event you'll have two fields:
"ipv6" => "::ffff"
"ipv4" => "172.19.7.180"
This will work until this issue is resolved.