Filebeat apache module: Provided Grok expressions do not match field value

gnumoksha · September 10, 2020, 5:43pm

Hello. Filebeat is unable to parse any entry from the Apache access log.

Here is a complete document which demonstrates the error:

{
  "_index": "filebeat-7.7.1-2020.08.29-000002",
  "_type": "_doc",
  "_id": "ZV4cdHQBqE0EjvsuyQIq",
  "_score": 1,
  "_source": {
    "agent": {
      "hostname": "ip-172-30-1-227",
      "id": "6610ced5-c66a-401e-97bd-e0a65caqp835",
      "type": "filebeat",
      "ephemeral_id": "f00a3422-1233-49e5-b4d6-7d5823fef3fd",
      "version": "7.7.1"
    },
    "log": {
      "file": {
        "path": "/var/log/httpd/access_log"
      },
      "offset": 5259377
    },
    "fileset": {
      "name": "access"
    },
    "message": "172.30.0.183 (171.212.123.34, 161.152.73.34) - - [09/Sep/2020:18:24:36 +0000] \"GET /foo/bar-249-outlet-perry-perry--bealls-outlet-200007qu?utm_source=FooBar&token=YzM4YzU0aEtjNX1GiqQ2aTJxRDJQJFQyL1p1MmFvQmE0NTdKK2VBSaBPqEM3bnd5Zz0= HTTP/1.1\" 200 9472 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Mobile/15E148 Safari/604.1\"",
    "error": {
      "message": "Provided Grok expressions do not match field value: [172.30.0.183 (171.212.123.34, 161.152.73.34) - - [09/Sep/2020:18:24:36 +0000] \\\"GET /foo/bar-249-outlet-perry-perry--bealls-outlet-200007qu?utm_source=FooBar&token=YzM4YzU0aEtjNX1GiqQ2aTJxRDJQJFQyL1p1MmFvQmE0NTdKK2VBSaBPqEM3bnd5Zz0= HTTP/1.1\\\" 200 9472 \\\"-\\\" \\\"Mozilla/5.0 (iPhone; CPU iPhone OS 13_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Mobile/15E148 Safari/604.1\\\"]"
    },
    "cloud": {
      "availability_zone": "us-east-1c",
      "image": {
        "id": "ami-123123123"
      },
      "instance": {
        "id": "i-123123123"
      },
      "provider": "aws",
      "machine": {
        "type": "t3.large"
      },
      "region": "us-east-1",
      "account": {
        "id": "123123123"
      }
    },
    "input": {
      "type": "log"
    },
    "@timestamp": "2020-09-09T18:24:37.320Z",
    "ecs": {
      "version": "1.5.0"
    },
    "service": {
      "type": "apache"
    },
    "host": {
      "hostname": "ip-172-30-1-227",
      "os": {
        "kernel": "4.14.133-88.105.amzn1.x86_64",
        "name": "Amazon Linux AMI",
        "family": "redhat",
        "version": "2018.03",
        "platform": "amzn"
      },
      "containerized": false,
      "ip": [
        "172.30.1.227",
        "fe80::87e:55ff:fe6f:d181"
      ],
      "name": "ip-172-30-1-227",
      "id": "b364fcd8bea471c24f5ee5675d4093da",
      "mac": [
        "0a:7e:55:6f:d1:81"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "module": "apache",
      "dataset": "apache.access"
    }
  },
  "fields": {
    "suricata.eve.timestamp": [
      "2020-09-09T18:24:37.320Z"
    ],
    "@timestamp": [
      "2020-09-09T18:24:37.320Z"
    ]
  }
}

$ httpd -v
Server version: Apache/2.4.43 (Amazon)
Server built:   May 14 2020 18:12:28

system · October 8, 2020, 7:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Provided Grok expressions do not match field value on Filebeat 7.4.0 Beats filebeat	2	1008	November 15, 2019
Apache access log request grok failure Beats filebeat	2	935	September 7, 2018
Filebeat apache module unable to parse certain logs Beats beats-module , filebeat	7	642	July 3, 2019
Filebeat Grok pattern for access log Beats filebeat	6	1629	November 17, 2023
Provided Grok expressions do not match field value Elasticsearch	1	280	February 24, 2023

Filebeat apache module: Provided Grok expressions do not match field value

Related Topics