I have filebeats send my apache access logs to graylog 2
At one point the logs was being separated into separate fields, somewhere
that stopped working.
My filebeats config looks like this:
################### Filebeat Configuration Example #########################
# /etc/filebeat/filebeat.yml
############################# Filebeat
######################################
filebeat:
prospectors:
-
paths:
- /var/log/audit/audit.log
- /var/log/boot.log
- /var/log/cron
- /var/log/dmesg
- /var/log/messages
- /var/log/secure
- /var/log/yum.log
document_type: syslog
-
paths:
- /var/log/httpd/*_access_log
document_type: apache-access
-
paths:
- /var/log/httpd/*_error_log
document_type: apache-error
output:
logstash:
hosts: ["mygrayloghost:5044"]
index: filebeat
logging:
level: debug
to_files: true
to_syslog: false
tail_files: true
close_older: true
files:
path: /var/log
name: filebeat.log
keepfiles: 2
All logs are sent to the graylog server and are searchable, the problem is
the Apache logs are not being broken into separate fields.
We have an Extractor configured in Graylog and when we load a message and
hit "Try it" in the Extractor config page we get an expected result (see
attached), but we do not see the same when we search, the fields just
appear in a single message field.
<https://lh3.googleusercontent.com/-74lRlINYPo4/V7InnCAvG4I/AAAAAAAAsBg/QfPdm6Hvmso9pCfQMfK1OmEfZ73y4soJwCLcB/s1600/Capture.PNG>
Any clues as to what is going wrong here would be appreciated.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/38968bb9-87a4-47f1-998a-a8bc1aa9d8a3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
