Some of the logs I am parsing are formatted like this:
127.0.0.1 - - [24/Jan/2012:02:14:18 +0000] "GET /path/to/data/index.html HTTP/1.1" 200 1110 "https://example.com" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
However, others also list the vhost in a quoted string, like this:
127.0.0.1 - - [24/Jan/2012:02:14:18 +0000] "GET /path/to/data/index.html HTTP/1.1" 200 1110 "https://example.com" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" "vhost.example.com"
So, I set up my filter section like this:
filter {
grok {
type => "apache-access"
pattern => "%{COMBINEDAPACHELOG} %{QS:vhost}"
pattern => "%{COMBINEDAPACHELOG}"
}
date {
type => "apache-access"
timestamp => "dd/MMM/yyyy:HH:mm:ss Z"
}
}
However, it does not seem to work as I would hope. Any suggestions?