I'm stuck with grok. Here is the code that i want to use in Kibana:
"1.1.1.1" "NULL-AUTH-USER" "21/Jul/2010:20:22:31 +0100" "GET /html/some_file.txt HTTP/1.1" 200 674347
How ever i can't pass through the "NULL-AUTH-USER". The IP address is handled, this is fine, but after that i'm stuck. the code for grok that does not give back what i want:
%{IP:ipadd}%{WORD:notauusr}
The goal is to have something like this:
IP-address user date&time methode uri returncode size
Thank you for your help in advance!
You can use:
"%{IPORHOST:clientip}" "%{USER}" "%{HTTPDATE:timestamp}" "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
That is a modified version of COMMONAPACHELOG
.
Checkout: https://www.elastic.co/guide/en/logstash/current/config-examples.html and https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/httpd
There is also https://grokdebug.herokuapp.com which is a great tool to debug grok patterns.