Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat apache2 module ssl_request_log grok pattern issue #8088

Closed
willemdh opened this issue Aug 24, 2018 · 2 comments
Closed

Filebeat apache2 module ssl_request_log grok pattern issue #8088

willemdh opened this issue Aug 24, 2018 · 2 comments
Assignees
@kaiyan-sheng
Labels
Filebeat Filebeat help wanted Indicates that a maintainer wants help on an issue or pull request module Team:Integrations Label for the Integrations team

Comments

@willemdh
Copy link

Using the standard apache2 module for Apache access logs, I get

Provided Grok expressions do not match field value errors for example with:

[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1" 1375

Log location: /var/log/httpd/ssl_request_log

Apache version: httpd.x86_64 2.4.6-80.el7.centos.1

Filebeat 6.3.2 config:

- module: apache2
  access:
    enabled: true
    var.paths: ["/var/log/httpd/access_log","/var/log/httpd/ssl_access_log","/var/log/httpd/ssl_request_log"]
  error:
    enabled: true
    var.paths: ["/var/log/httpd/error_log","/var/log/httpd/ssl_error_log"]

error.message in Kibana:

Provided Grok expressions do not match field value: [[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1" 1375]

For confirmed bugs, please report:
@ruflin ruflin added the help wanted Indicates that a maintainer wants help on an issue or pull request label Aug 27, 2018
@faulander
Copy link

any news here? Running into the same problem ...

@ruflin ruflin added the Team:Integrations Label for the Integrations team label Nov 27, 2018
@kaiyan-sheng kaiyan-sheng self-assigned this Dec 28, 2018
@kaiyan-sheng kaiyan-sheng mentioned this issue Dec 28, 2018
Merged
@willemdh
Copy link
Author

willemdh commented Oct 16, 2019
edited
Loading

@ruflin @kaiyan-sheng ,

I seem to be getting some grok parse failures on our apache request logs:

Example log:

[16/Oct/2019:11:53:47 +0200] 11.19.0.217 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1" -

The issue seems to be related to the '-' at the end of the logs which should beparsed by %{NUMBER:apache2.access.body_sent.bytes}

This should be migrated to something like (-|%{NUMBER:apache2.access.body_sent.bytes}) ?

This was referenced Oct 18, 2019
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kaiyan-sheng kaiyan-sheng

Labels
Filebeat Filebeat help wanted Indicates that a maintainer wants help on an issue or pull request module Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jsoriano @ruflin @willemdh @kaiyan-sheng @faulander