add more grok rule for http request

GSA · Dec 28, 2023 · e2e8c76 · e2e8c76
1 parent 6718f2b
commit e2e8c76
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/logstash/logstash.conf b/logstash/logstash.conf
@@ -75,7 +75,7 @@ filter{
   }
   grok {
       match => {
-        "log_data" => '%{HOSTNAME:hostname} - \[%{TIMESTAMP_ISO8601:timestamp}\] %{GREEDYDATA:http_request} "-" %{QUOTEDSTRING:http_user_agent} ".*" ".*" x_forwarded_for:"(?:%{IPORHOST:forwarded_ips}(?:, %{IPORHOST:forwarded_ips})*)" .*'
+        "log_data" => '%{HOSTNAME:hostname} - \[%{TIMESTAMP_ISO8601:timestamp}\] "%{WORD:http_method} %{GREEDYDATA:request_uri} %{DATA:http_version}" %{NUMBER:http_status} %{NUMBER:response_size} %{NUMBER:response_time} %{QUOTEDSTRING:http_user_agent}? %{QUOTEDSTRING:http_user_agent} ".*" ".*" x_forwarded_for:"(?:%{IPORHOST:forwarded_ips}(?:, %{IPORHOST:forwarded_ips})*)" .*'
         tag_on_failure => []
         overwrite => ["message"]
         break_on_match => false
@@ -92,6 +92,7 @@ filter{
   mutate {
     add_field => { "[@metadata][NEWRELIC_KEY]" => "${NEWRELIC_LICENSE_KEY:notpresent}" }
     add_field => { "[@metadata][AWS_S3_PROXY]" => "${AWS_S3_PROXY:notpresent}" }  
+    remove_field => ["skip"]
   }
 
 }