Filebeat apache module unable to parse certain logs

Hi all,

I have a couple of lines in my apache access logs that cannot be parsed by the default apache module.

After some testing, I found that:
Does not work:
123.123.123.123 - - [04/Jun/2019:12:25:00 +0000] "-" 400 100 "-" "-"
Kibana error.message:
Provided Grok expressions do not match field value: [123.123.123.123 - - [04/Jun/2019:12:25:00 +0000] \"-\" 400 100 \"-\" \"-\"]

Works:
123.123.123.123 - - [04/Jun/2019:12:24:00 +0000] "-" 400 - "-" "-"

I am currently using Filebeat v7.1.1, with its default apache module and minimal modification.

Any idea why this occurs?

Thanks :slight_smile:

Do you have custom log format configured? What's your apache version?

No I did not configure a custom log format. I am using the default log format from the apache module.

I meant have you configured anything in you Apache configuration using LogFormat directive. Also, what is the version of Apache you want to ship logs from?

Oh sorry!
Nope I did not configure log format directives in my Apache config.
My apache version is 2.4.33.

According to the documentation it's not tested with that version. Could you please open an enhancement request on GH for support of Apache 2.4.33? https://github.com/elastic/beats/issues/new?template=feature-request.md

Thanks. :slight_smile:

Okay thanks for your help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.