Filebeat apache module unable to parse certain logs

Elastic Stack Beats
,
1

Hi all,

I have a couple of lines in my apache access logs that cannot be parsed by the default apache module.

After some testing, I found that:
Does not work:
123.123.123.123 - - [04/Jun/2019:12:25:00 +0000] "-" 400 100 "-" "-"
Kibana error.message:
Provided Grok expressions do not match field value: [123.123.123.123 - - [04/Jun/2019:12:25:00 +0000] \"-\" 400 100 \"-\" \"-\"]

Works:
123.123.123.123 - - [04/Jun/2019:12:24:00 +0000] "-" 400 - "-" "-"

I am currently using Filebeat v7.1.1, with its default apache module and minimal modification.

Any idea why this occurs?

Thanks :slight_smile:

2

Do you have custom log format configured? What's your apache version?

3

No I did not configure a custom log format. I am using the default log format from the apache module.

4

I meant have you configured anything in you Apache configuration using LogFormat directive. Also, what is the version of Apache you want to ship logs from?

5

Oh sorry!
Nope I did not configure log format directives in my Apache config.
My apache version is 2.4.33.

6

According to the documentation it's not tested with that version. Could you please open an enhancement request on GH for support of Apache 2.4.33? https://github.com/elastic/beats/issues/new?template=feature-request.md

Thanks. :slight_smile:

7

Okay thanks for your help!

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.