Hello. Filebeat is unable to parse any entry from the Apache access log.
Here is a complete document which demonstrates the error:
{
"_index": "filebeat-7.7.1-2020.08.29-000002",
"_type": "_doc",
"_id": "ZV4cdHQBqE0EjvsuyQIq",
"_score": 1,
"_source": {
"agent": {
"hostname": "ip-172-30-1-227",
"id": "6610ced5-c66a-401e-97bd-e0a65caqp835",
"type": "filebeat",
"ephemeral_id": "f00a3422-1233-49e5-b4d6-7d5823fef3fd",
"version": "7.7.1"
},
"log": {
"file": {
"path": "/var/log/httpd/access_log"
},
"offset": 5259377
},
"fileset": {
"name": "access"
},
"message": "172.30.0.183 (171.212.123.34, 161.152.73.34) - - [09/Sep/2020:18:24:36 +0000] \"GET /foo/bar-249-outlet-perry-perry--bealls-outlet-200007qu?utm_source=FooBar&token=YzM4YzU0aEtjNX1GiqQ2aTJxRDJQJFQyL1p1MmFvQmE0NTdKK2VBSaBPqEM3bnd5Zz0= HTTP/1.1\" 200 9472 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Mobile/15E148 Safari/604.1\"",
"error": {
"message": "Provided Grok expressions do not match field value: [172.30.0.183 (171.212.123.34, 161.152.73.34) - - [09/Sep/2020:18:24:36 +0000] \\\"GET /foo/bar-249-outlet-perry-perry--bealls-outlet-200007qu?utm_source=FooBar&token=YzM4YzU0aEtjNX1GiqQ2aTJxRDJQJFQyL1p1MmFvQmE0NTdKK2VBSaBPqEM3bnd5Zz0= HTTP/1.1\\\" 200 9472 \\\"-\\\" \\\"Mozilla/5.0 (iPhone; CPU iPhone OS 13_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Mobile/15E148 Safari/604.1\\\"]"
},
"cloud": {
"availability_zone": "us-east-1c",
"image": {
"id": "ami-123123123"
},
"instance": {
"id": "i-123123123"
},
"provider": "aws",
"machine": {
"type": "t3.large"
},
"region": "us-east-1",
"account": {
"id": "123123123"
}
},
"input": {
"type": "log"
},
"@timestamp": "2020-09-09T18:24:37.320Z",
"ecs": {
"version": "1.5.0"
},
"service": {
"type": "apache"
},
"host": {
"hostname": "ip-172-30-1-227",
"os": {
"kernel": "4.14.133-88.105.amzn1.x86_64",
"name": "Amazon Linux AMI",
"family": "redhat",
"version": "2018.03",
"platform": "amzn"
},
"containerized": false,
"ip": [
"172.30.1.227",
"fe80::87e:55ff:fe6f:d181"
],
"name": "ip-172-30-1-227",
"id": "b364fcd8bea471c24f5ee5675d4093da",
"mac": [
"0a:7e:55:6f:d1:81"
],
"architecture": "x86_64"
},
"event": {
"module": "apache",
"dataset": "apache.access"
}
},
"fields": {
"suricata.eve.timestamp": [
"2020-09-09T18:24:37.320Z"
],
"@timestamp": [
"2020-09-09T18:24:37.320Z"
]
}
}
$ httpd -v
Server version: Apache/2.4.43 (Amazon)
Server built: May 14 2020 18:12:28