Graylog with Filebeat how to split the message fields like client ip, request path

Graylog Central (peer support)
1

Hi All,

I have setup graylog with elasticsearch + mongodb + filebeat.
I have file beat read nginx access log file and send to graylog. But i need to split the message into multiple fields like (clientip,request URL, request method and useragent etc…

Please help me how do i split the single message field into multiple fields.

2

without seeing the actual message field you need help with, all I can say is to use either extractors or pipelines to process the message.

3

Hi @cawfehman,
Please find the below sample message log.

111.01.01.01, 111.02.02.02, 111.03.03.03 - - [31/Mar/2020:03:28:35 +0700] “GET /static/frontend/product-attribute.html HTTP/1.1” 200 254 "https://www.example.com/
" “Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Safari/604.1”

filebeat.yml

#================= Filebeat inputs =================

filebeat.inputs:

  • type: log
    enabled: true
    paths:
    • /var/log/access.log

#—————————– Logstash output ——————————–
output.logstash:

The Logstash hosts

hosts: [“graylog:1514”]

4

I suggest check the community’s search, and google for examples. Or read the graylog’s docs.
You can do it by extractors, or by pipelines.

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.