Some logs, such as Apache, do not support JSON with Grok plugins like Nginx
Grok using regular expressions for row-matching splits
The predefined locations are defined in the
/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns
Apache in File Grok-patterns
View official documents
Https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html
Vim/etc/logstash/conf.d/grok.conf
input{ Stdin{}}filter { Grok { match + = {"Message" = "%{ip:client}%{word:method}%{uripathparam: Request}%{number:bytes}%{number:duration} "} }}output{ stdout{ codec = Rubydebug }}
Start
/opt/logstash/bin/logstash-f grok.conf
Output
Ps:grok is very impact performance, inflexible, can use Logstash-redis-python-es
Vim apache_grok.conf
Run output
/opt/logstash/bin/logstash-f apache_grok.conf
Logstash actual Combat Filter Plugin Grok (collect Apache log)