Forwarder adds escapes to all quotes in log messages


(Phil) #1

So I am at my wits end trying to get either a working grok filter, or getting LSF to send data properly.

The data being sent looks like this:

23/Oct/2015:01:57:16 +0000 1.2.3.4/- "Status:200" "POST /api/rest/stats/call HTTP/1.1" "{\x22data\x22: [{\x22val\x22:\x22dummy\x22, \x22ts\x22: 109683, \x22avgJitter\x22: 0, \x22id\x22: \x2215d61_293b830\x22, \x22rxCodec\x22: \x22G.722.1C\x22, \x22rx\x22: 114061, \x22drop\x22: 0, \x22jitter\x22: 2, \x22key\x22: \x22callinfo-audio\x22}], \x22mac\x22: \x220004f2fc3311\x22, \x22hwrev\x22: \x225\x22, \x22bld\x22: \x2211424\x22, \x22ver\x22: \x225.4.0\x22, \x22hwreg\x22: \x220\x22, \x22hwname\x22:\x228800\x22, \x22vdt\x22: \x2219-Oct-15 14:39\x22, \x22hwpn\x22: \x223111-65290-001\x22}" 28475 1 ECDHE-RSA-AES256-GCM-SHA384 5 "-" "-"

But when LSF sends it to LS, it escapes " and other data so when LS receives it this is what I get:
23/Oct/2015:01:57:16 +0000 1.2.3.4/- "Status:200" "POST /api/rest/stats/call HTTP/1.1" "{\x22data\x22: [{\x22val\x22:\x22dummy\x22, \x22ts\x22: 109683, \x22avgJitter\x22: 0, \x22id\x22: \x2215d61_293b830\x22, \x22rxCodec\x22: \x22G.722.1C\x22, \x22rx\x22: 114061, \x22drop\x22: 0, \x22jitter\x22: 2, \x22key\x22: \x22callinfo-audio\x22}], \x22mac\x22: \x220004f2fc3311\x22, \x22hwrev\x22: \x225\x22, \x22bld\x22: \x2211424\x22, \x22ver\x22: \x225.4.0\x22, \x22hwreg\x22: \x220\x22, \x22hwname\x22:\x228800\x22, \x22vdt\x22: \x2219-Oct-15 14:39\x22, \x22hwpn\x22: \x223111-65290-001\x22}" 28475 1 ECDHE-RSA-AES256-GCM-SHA384 5 "-" "-"

So I wrote and tested a grok filter based on the expected log message format:
%{HTTPDATE} %{IP:clientip}%{NOTSPACE}%{NOTSPACE} %{QS:status} %{QS:method} %{QS:body} %{NUMBER:con} %{NUMBER:conreq} (?(\w+-\w+){4}) %{NUMBER:bytessent} %{QS:refer} %{QS:useragent}

Once I figured out the problem, I rewrote and tested the grok filter to account for all the escapes:

%{HTTPDATE:timestamp} %{IP:clientip}%{NOTSPACE}%{NOTSPACE} \"Status:%{NUMBER:status}\" \"(?(.+))\" \"(?<request_body>(.+))\" %{NUMBER:connection} %{NUMBER:connection_request} (?<ssl_cipher>(\w+-\w+){4}) %{NUMBER:body_bytes_sent} \"(?<http_referer>.+)\" \"(?<http_user_agent>.+)\"

However, LS still gives a ton of _grokparseerror messages and refuses to process the message no matter what I do.

Any suggestions?


(system) #2