add UNIX timestamp to Apache access log - xiuyanduan/xiuyanduan.github.io GitHub Wiki

title: add UNIX timestamp to Apache access log 
date: 2016-01-12
tags:
- Apache
- logstah
- linux
---

change LogFormat in Apache conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{%s}t" newcombined

The access log of Apache like

10.2.5.24 - - [12/Jan/2016:09:11:38 +0800] "GET /concrete5/ HTTP/1.1" 200 19098 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36" 1452561098

Apache document of mod_log_config

conf of logstash

If Apache access log is collected by logstash ,the ruby plugins in filter could also do it.

input {
    file {
        path => "/tmp/apache.log"
        start_position => beginning 
    }
}
filter {
    grok {
       #Apache access log in default format
        match => { "message" => "%{COMBINEDAPACHELOG}"}
    }
    grok {   
	match => ["message", "%{HTTPDATE:logdate}"]
    }
    date {
	    #use the time in access log as timestamp
        match => ["logdate", "dd/MMM/yyyy:HH:mm:ss Z"]
    }
    ruby{
        #change logdate to UNIX timestamp format
	code => "event['logdate']=event.sprintf('%{+%s}')"

}
    geoip {
        #used in elasticsearch to analysis
        source => "clientip"
    }


}
output {
    stdout {codec => rubydebug}
}

strftime(3)

man-pages

%s The number of seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC). (TZ)