Filebeat AWS Module & ELB fileset, got error in parsing NLB log

pingz · December 1, 2020, 10:08pm

Hi there:

I am using filebeat 7.9.3 with aws module and elb fileset enabled, running inside k8s.
It is able to parse ALB log, but failed in paring Network load balancer log.

The error message I got is

error.message
Provided Grok expressions do not match field value: [tls 2.0 2020-12-01T21:44:09 net/dynamic-lb-113WV3QTK1Q6O/f1ed246e274f51c9 9fda1d87ff5d5c3c 5.188.206.18:63044 10.30.222.193:10000 7048 - 0 0 - - - - - - - - - -]

where the nlb log message is

tls 2.0 2020-12-01T21:44:09 net/dynamic-lb-113WV3QTK1Q6O/f1ed246e274f51c9 9fda1d87ff5d5c3c 5.188.206.18:63044 10.30.222.193:10000 7048 - 0 0 - - - - - - - - - -

It looks like filebeat-7.9.3-aws-elb-pipeline processor failed to parse NLB log. The latest NLB log has 3 additional entries alpn_fe_protocol, alpn_be_protocol, alpn_client_preference_list that are not included in the grok NLB log pattern

I finally fix the bug in filebeat-7.9.3-aws-elb-pipeline Grok myself by changing %{NUMBER:aws.elb.tls_handshake_time.ms:float} to (?:-|%{NUMBER:aws.elb.tls_handshake_time.ms:float})

system · December 30, 2020, 12:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Filebeat] AWS module & ELB fileset, not parsing message Beats beats-module , filebeat	9	773	November 2, 2020
Fails Filebeat Input format data Beats filebeat	3	321	June 25, 2020
Filebeat with AWS ELB logs = newbie problems Beats filebeat	1	308	April 27, 2022
Filebeat and grok parsing errors Beats filebeat	5	9338	September 4, 2018
Filebeat "Provided Grok expressions do not match field value:" for /var/log/messages on RHEL7 with system module Beats filebeat	1	435	April 26, 2019

Filebeat AWS Module & ELB fileset, got error in parsing NLB log

Related topics