Hey Pete
I actually wrote a logstash parser for a customer of mine a few years ago.
Too bad I could not share it due to NDAs.
However, I can share one thing which sprang out of the excercise:
https://loadbalancing.se/2020/03/11/logstash-testing-tool/
It's not what you're looking for, but it might help when writing the pipeline. At least it helped me a lot when developing parsers.
Also wanted to input that part of the reason why this was a bit painful:
- In order to get synergy from parsing the logs the field names should match those of other sources. Makes it easier to correlate data. I have not found an opinionated database with recommended field names, but I feel that if there is a need for such.
- F5 logs are pretty much free text after the log header. It was (somewhat) easy to catch the common things, but I found after a while that there were subtle differences between even the standard log messages (pool member down etc) and I pulled my hair multiple times when trying to figure it out.
Kind regards,
Patrik
