Filebeat Apache module grok pattern should handle absent byte count

[cwurm]

In the Apache Combined Log Format, an absent byte count is signified by -. This has to be included in the grok pattern.

Should be something like: "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}"

Currently, the option - is missing from the default pattern in https://github.com/elastic/beats/blob/master/filebeat/module/apache2/access/ingest/default.json

[cwurm]

Another thing: The grok pattern for access logs has spaces after opening parenthesis and not before at the end: %{NUMBER:apache2.access.body_sent.bytes}( \"%{DATA:apache2.access.referrer}\")?( \"%{DATA:apache2.access.agent}\")?"

Should be %{NUMBER:apache2.access.body_sent.bytes} (\"%{DATA:apache2.access.referrer}\")? (\"%{DATA:apache2.access.agent}\")?"

[cwurm]

Hang on, that the whitespace didn't work was my mistake when I edited the grok pattern to fix the bytes. Apologies.

[ruflin]

@cwurm Could you open a PR with this changes? Then we directly see how it affects our tests.

[cwurm]

@ruflin done: #3863

[ruflin]

@cwurm Thanks a lot for the fix. Closing this one.