We have been using graylog for sorting system logs, but today when i tried to use same for Apache logs it doesn`t seem to work as needed. Issue cropped up when i tried to search Apache logs ( After Grok Pattern applied ) in Graylog UI and filter them based on request size bigger than 1024 ( Graylog search using “byte” parameter). Search output never returns output as intended with results still showing logs of requests below 1024.
Can anyone shed some light if i need to enable it from config or i am making some mistake. I know we are running an outdated version but still it shouldn`t be a problem.
Graylog : 1.3.3
Elasticsearch : 1.5.0
Graylog Web Interface : 1.3.3
Log Line : 192.168.0.155 - - [30/May/2017:01:41:46 -0700] “POST /testing.php HTTP/1.1” 200 41 (this value to be searched above 1024) “https://www.----.com/” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
Graylog Search : gl2_source_input:3dvbf2eb78crrca5aa26521a AND verb:POST AND bytes:>1000
Graylog Search : gl2_source_input:3dvbf2eb78crrca5aa26521a AND verb:POST AND bytes:[1000 TO 10000]