Graylog with Filebeat how to split the message fields like client ip, request path

Hi All,

I have setup graylog with elasticsearch + mongodb + filebeat.
I have file beat read nginx access log file and send to graylog. But i need to split the message into multiple fields like (clientip,request URL, request method and useragent etc…

Please help me how do i split the single message field into multiple fields.

without seeing the actual message field you need help with, all I can say is to use either extractors or pipelines to process the message.

Hi @cawfehman,
Please find the below sample message log.

111.01.01.01, 111.02.02.02, 111.03.03.03 - - [31/Mar/2020:03:28:35 +0700] “GET /static/frontend/product-attribute.html HTTP/1.1” 200 254 "https://www.example.com/
" “Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Safari/604.1”

filebeat.yml

#================= Filebeat inputs =================

filebeat.inputs:

  • type: log
    enabled: true
    paths:
    • /var/log/access.log

#—————————– Logstash output ——————————–
output.logstash:

The Logstash hosts

hosts: [“graylog:1514”]

I suggest check the community’s search, and google for examples. Or read the graylog’s docs.
You can do it by extractors, or by pipelines.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.