I have filebeats send my apache access logs to graylog 2 At one point the logs was being separated into separate fields, somewhere that stopped working. My filebeats config looks like this: ################### Filebeat Configuration Example ######################### # /etc/filebeat/filebeat.yml ############################# Filebeat ###################################### filebeat: prospectors: - paths: - /var/log/audit/audit.log - /var/log/boot.log - /var/log/cron - /var/log/dmesg - /var/log/messages - /var/log/secure - /var/log/yum.log document_type: syslog - paths: - /var/log/httpd/*_access_log document_type: apache-access
- paths: - /var/log/httpd/*_error_log document_type: apache-error output: logstash: hosts: ["mygrayloghost:5044"] index: filebeat logging: level: debug to_files: true to_syslog: false tail_files: true close_older: true files: path: /var/log name: filebeat.log keepfiles: 2 All logs are sent to the graylog server and are searchable, the problem is the Apache logs are not being broken into separate fields. We have an Extractor configured in Graylog and when we load a message and hit "Try it" in the Extractor config page we get an expected result (see attached), but we do not see the same when we search, the fields just appear in a single message field. <https://lh3.googleusercontent.com/-74lRlINYPo4/V7InnCAvG4I/AAAAAAAAsBg/QfPdm6Hvmso9pCfQMfK1OmEfZ73y4soJwCLcB/s1600/Capture.PNG> Any clues as to what is going wrong here would be appreciated. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/38968bb9-87a4-47f1-998a-a8bc1aa9d8a3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.