12-apache.conf

filter {
  if [type] == "apache-access" or [type] == "apache" {

    grok {
      match => { "message" => "%{UUID:request_uuid} %{IP:client_ip} - %{IP:client_ip} - - \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:bytes_sent:float} %{NUMBER:time_taken:float}  %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{UUID:request_uuid} %{IP:client_ip} - - \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:bytes_sent:float} %{NUMBER:time_taken:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{UUID:request_uuid} %{IP:client_ip} - %{DATA:username} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:bytes_sent:float} %{NUMBER:time_taken:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{IP:client_ip} - %{IP:client_ip} - - \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:bytes_sent:float} %{NUMBER:time_taken:float}  %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{IP:client_ip} - - \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:bytes_sent:float} %{NUMBER:time_taken:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{IP:client_ip} - %{DATA:username} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:bytes_sent:float} %{NUMBER:time_taken:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{IP:client_ip} - %{IP:client_ip} - - \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:bytes_sent:float}  %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{IP:client_ip} - - \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:bytes_sent:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{IP:client_ip} - %{DATA:username} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}(?:%{URIPARAM:params})? HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:bytes_sent:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
    }
    mutate {
      # drop the ? from beginning of params (and elsewhere...)
      gsub => ["params", "\?", ""]
    }
    kv {
      field_split => "&"
        source => "params"
    }

    #mutate {
    #  add_field => { "request_hostname" => "%{client_ip}" }
    #}
    #dns {
    #  reverse => [ "request_hostname"]
    #  add_tag => [ "dns_lookup" ]
    #  action => "replace"
    #}


    mutate {
      remove_field => [ "password", "password_confirmation", "params", "message" ]
    }
    geoip {
      source => "client_ip"
    }
    date {
      match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
      timezone => "CET"
    }
#    mutate {
#      add_field => { "request_hostname" => "%{client_ip}" }
#    }
#    dns {
#      reverse => [ "request_hostname"]
#      add_tag => [ "dns_lookup" ]
#      action => "replace"
#    }
  }
}