I have those logs (OVH shared hosting), that set the ident field of log lines to:
example.com:443. It's only on a fraction of the logs, most of them set to
www.example.com as they should (I think?).
A full example line :
18.104.22.168 example.com:443 - [24/Feb/2015:23:13:42 +0000] "GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1" 200 203023 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"
tested to fail on latest logstash-patterns-core
It looks like it should be accepted as I far as I understand it from the ident field definition in RFC1413, but I wanted to have confirmation before filling a bug report. It's the first time I saw this ident field set like this and it might well be just the hosting provider doing something non-standard at all?
Should this log line be accepted as a "COMBINED" log?