Search code examples
logstashlogstash-grok

Issues parsing grok pattern for nginx error log

Hello to all I have the following line in the a log file

2018/05/11 23:08:28 [error] 53734#53734: *621532077 upstream prematurely closed connection while reading response header from upstream, client: 192.168.22.10, server: www.testserver.pt, request: "GET /methods/userinfo.ashx/getUserOpenBetsData? HTTP/2.0", upstream: "https://188.11.2.3:443/methods/userinfo.ashx/getUserOpenBetsData?", host: "www.testserver.pt", referrer: "https://www.testserver.pt/"

And I am trying to use the following grok pathern to parse it

input {
    beats {
        port => "5044"
    }
}
 filter {
        grok{
        match => {"message" => '%{F_TIMESTAMP: timestamp} \[%{DATA:Message_type}\] %{DATA:EventId}\: \*%{NUMBER:Secondaryid} %{GREEDYDATA:Message}, client: %{IP:origin}, server: %{URIHOST:domain}, request: "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}", upstream: %{QS:userRequest}, host: "%{URIHOST:host}", referrer: %{QS:referrer}'}
        }
        date{
        locale => "en"
        match => ["timestamp", "YYYY/MM/dd HH:mm:ss"]
        target => "@timestamp"
        }
}
output {
    elasticsearch {
        hosts => [ "localhost:9200" ]
        index => "logstash-%{+YYYY.MM.dd.HH}"
        user => "elastic"
        password => "changeme"

Is not doing the trick.

Solution

  • A simple Google search reveals its NGINX log,

    You can use following grok pattern,

    (?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{GREEDYDATA:errormessage}, client: %{IP:client}, server: %{GREEDYDATA:server}, request: %{GREEDYDATA:request}

    Output

    {
  "timestamp": [
    [
      "2018/05/11 23:08:28"
    ]
  ],
  "YEAR": [
    [
      "2018"
    ]
  ],
  "MONTHNUM": [
    [
      "05"
    ]
  ],
  "MONTHDAY": [
    [
      "11"
    ]
  ],
  "TIME": [
    [
      "23:08:28"
    ]
  ],
  "HOUR": [
    [
      "23"
    ]
  ],
  "MINUTE": [
    [
      "08"
    ]
  ],
  "SECOND": [
    [
      "28"
    ]
  ],
  "severity": [
    [
      "error"
    ]
  ],
  "pid": [
    [
      "53734"
    ]
  ],
  "threadid": [
    [
      "53734"
    ]
  ],
  "BASE10NUM": [
    [
      "53734",
      "621532077"
    ]
  ],
  "connectionid": [
    [
      "621532077"
    ]
  ],
  "errormessage": [
    [
      "upstream prematurely closed connection while reading response header from upstream"
    ]
  ],
  "client": [
    [
      "192.168.22.10"
    ]
  ],
  "IPV6": [
    [
      null
    ]
  ],
  "IPV4": [
    [
      "192.168.22.10"
    ]
  ],
  "server": [
    [
      "www.testserver.pt"
    ]
  ],
  "request": [
    [
      ""GET /methods/userinfo.ashx/getUserOpenBetsData? HTTP/2.0", upstream: "https://188.11.2.3:443/methods/userinfo.ashx/getUserOpenBetsData?", host: "www.testserver.pt", referrer: "https://www.testserver.pt/""
    ]
  ]
}

    You can test it here.

    Please also look at the following example for parsing nginx error log on github.

    Hope it helps.