Filebeat apache module: Provided Grok expressions do not match field value

gnumoksha · September 10, 2020, 5:43pm

Hello. Filebeat is unable to parse any entry from the Apache access log.

Here is a complete document which demonstrates the error:

{
  "_index": "filebeat-7.7.1-2020.08.29-000002",
  "_type": "_doc",
  "_id": "ZV4cdHQBqE0EjvsuyQIq",
  "_score": 1,
  "_source": {
    "agent": {
      "hostname": "ip-172-30-1-227",
      "id": "6610ced5-c66a-401e-97bd-e0a65caqp835",
      "type": "filebeat",
      "ephemeral_id": "f00a3422-1233-49e5-b4d6-7d5823fef3fd",
      "version": "7.7.1"
    },
    "log": {
      "file": {
        "path": "/var/log/httpd/access_log"
      },
      "offset": 5259377
    },
    "fileset": {
      "name": "access"
    },
    "message": "172.30.0.183 (171.212.123.34, 161.152.73.34) - - [09/Sep/2020:18:24:36 +0000] \"GET /foo/bar-249-outlet-perry-perry--bealls-outlet-200007qu?utm_source=FooBar&token=YzM4YzU0aEtjNX1GiqQ2aTJxRDJQJFQyL1p1MmFvQmE0NTdKK2VBSaBPqEM3bnd5Zz0= HTTP/1.1\" 200 9472 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Mobile/15E148 Safari/604.1\"",
    "error": {
      "message": "Provided Grok expressions do not match field value: [172.30.0.183 (171.212.123.34, 161.152.73.34) - - [09/Sep/2020:18:24:36 +0000] \\\"GET /foo/bar-249-outlet-perry-perry--bealls-outlet-200007qu?utm_source=FooBar&token=YzM4YzU0aEtjNX1GiqQ2aTJxRDJQJFQyL1p1MmFvQmE0NTdKK2VBSaBPqEM3bnd5Zz0= HTTP/1.1\\\" 200 9472 \\\"-\\\" \\\"Mozilla/5.0 (iPhone; CPU iPhone OS 13_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Mobile/15E148 Safari/604.1\\\"]"
    },
    "cloud": {
      "availability_zone": "us-east-1c",
      "image": {
        "id": "ami-123123123"
      },
      "instance": {
        "id": "i-123123123"
      },
      "provider": "aws",
      "machine": {
        "type": "t3.large"
      },
      "region": "us-east-1",
      "account": {
        "id": "123123123"
      }
    },
    "input": {
      "type": "log"
    },
    "@timestamp": "2020-09-09T18:24:37.320Z",
    "ecs": {
      "version": "1.5.0"
    },
    "service": {
      "type": "apache"
    },
    "host": {
      "hostname": "ip-172-30-1-227",
      "os": {
        "kernel": "4.14.133-88.105.amzn1.x86_64",
        "name": "Amazon Linux AMI",
        "family": "redhat",
        "version": "2018.03",
        "platform": "amzn"
      },
      "containerized": false,
      "ip": [
        "172.30.1.227",
        "fe80::87e:55ff:fe6f:d181"
      ],
      "name": "ip-172-30-1-227",
      "id": "b364fcd8bea471c24f5ee5675d4093da",
      "mac": [
        "0a:7e:55:6f:d1:81"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "module": "apache",
      "dataset": "apache.access"
    }
  },
  "fields": {
    "suricata.eve.timestamp": [
      "2020-09-09T18:24:37.320Z"
    ],
    "@timestamp": [
      "2020-09-09T18:24:37.320Z"
    ]
  }
}

$ httpd -v
Server version: Apache/2.4.43 (Amazon)
Server built:   May 14 2020 18:12:28

system · October 8, 2020, 7:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.