-
Notifications
You must be signed in to change notification settings - Fork 0
/
12-jamo-apache.conf
28 lines (27 loc) · 1.33 KB
/
12-jamo-apache.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
filter {
if [type] == "jamo-apache-access" {
grok {
match => { "message" => "%{IP:client_ip} - %{IP:client_ip} - - \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:size:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
match => { "message" => "%{IP:client_ip} - - \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:size:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
match => { "message" => "%{IP:client_ip} - %{DATA:username} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:size:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
}
mutate {
# drop the ? from beginning of params (and elsewhere...)
gsub => ["params", "\?", ""]
}
kv {
field_split => "&"
source => "params"
}
mutate {
remove_field => [ "password", "password_confirmation", "params", "message" ]
}
geoip {
source => "client_ip"
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
timezone => "EET"
}
}
}