Apache access log request grok failure

Elastic Stack Beats
1

Hello,

Using the standard apache2 module for Apache access logs, I get

Provided Grok expressions do not match field value errors for example with:

[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1" 1375

Log location: /var/log/httpd/ssl_request_log

httpd.x86_64 2.4.6-80.el7.centos.1

Filebeat 6.3.2 config:

- module: apache2
  access:
    enabled: true
    var.paths: ["/var/log/httpd/access_log","/var/log/httpd/ssl_access_log","/var/log/httpd/ssl_request_log"]
  error:
    enabled: true
    var.paths: ["/var/log/httpd/error_log","/var/log/httpd/ssl_error_log"]

error.message in Kibana:

Provided Grok expressions do not match field value: [[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1" 1375]

Should I make a GitHub issue?

Grtz

Willem

2

Hi,

You're right, the Apache module doesn't have a grok pattern for the ssl_request_log. Please open a GitHub issue.

I reproduced it by installing httpd.x86_64 2.4.6-80.el7.centos.1 as well as mod_ssl.x86_64 1:2.4.6-80.el7.centos.1. It's the later package that installs /etc/httpd/conf.d/ssl.conf with the following entry:

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.