How to process fastly logs in logstash


#1

Hi,

We are trying to process fastly access logs with ELK stack. We are trying with syslog format. The log format is:

%h %t %r %>s %b %{resp.http.X-Cache}V %{req.http.user-agent}V %{req.http.referer}V %{geoip.city}V

Here is a sample logs:

Mar 25 09:57:33 X VerticalAlfa X<134>2018-03-25T13:57:32Z cache-scl19420 VerticalAlfa_syslog[28479]: 190.233.180.138 [25/Mar/2018:13:47:30 +0000] POST /diez-platos-fundamentales-de-la-cocina-peruana-1190601?url=https%3A%2F%2Fwww.VerticalAlfa.com%2Fdiez-platos-fundamentales-de-la-cocina-peruana-1190601 HTTP/1.1 503 “-” MISS Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 https://www.VerticalAlfa.com/diez-platos-fundamentales-de-la-cocina-peruana-1190601 Lima

How do we extract all the field in Logstash?

Here is the logstash filter configuration

filter {

  grok {
    match => {
      "message" => "%{CISCOTIMESTAMP} X %{WORD:vertical} X%{SYSLOG5424PRI}%{SYSLOGLINE}"
      if ("" in [message]) {
         grok {
           match => {
             "message" => "%{IPORHOST:clientip} %{SYSLOG5424SD} %{WORD:verb} %{URIPATHPARAM} HTTP/%{NUMBER:httpversion} %{DATA:reques:int} (?:-|%{NUMBER:bytes:int}) %{WORD:fastly_hierarchy_status} %{QS:referrer} %{QS:agent} %{URI} %{WORD:city}"
           }
         }
      }
    }
  }
}

But it is not matching any logs. Please help.

Thanks
Ferdous Shibly


#2

Hello Ferdous,

We would love to help but unfortunately filtering in logstash might not be something we have an expertise in. The best thing I would recommend is to make sure that Fastly is sending the logs in a format that easiest to filter in Logstash. For example, you could try sending the log in JSON format to see if that makes it easier. I also recommend posting to https://discuss.elastic.co/ to see if there could be any insight on filtering.

Regards,
Steven