Hi ,
I have recently upgraded logstash version from 7.52 to 7.17.0.
I am getting the grok pattern error now .i dont have any issues with the v7.5.2.
[2024-05-22T12:13:51,017][INFO ][logstash.outputs.elasticsearch][uat] Using a default mapping template {:es_version=>8, :ecs_compatibility=>:disabled}
[2024-05-22T12:13:52,088][ERROR][logstash.javapipeline ][uat] Pipeline error {:pipeline_id=>"uat", :exception=>#<Grok::PatternError: pattern %{MODSECAPACHEERROR} not defined>, :backtrace=>["C:/Elastic/logstash/vendor/bundle/jruby/2.5.0/gems/jls-grok-0.11.5/lib/grok-pure.rb:123:in block in compile'", "org/jruby/RubyKernel.java:1442:in
loop'", "C:/Elastic/logstash/vendor/bundle/jruby/2.5.0/gems/jls-grok-0.11.5/lib/grok-pure.rb:93:in compile'", "C:/Elastic/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.1/lib/logstash/filters/grok.rb:282:in
block in register'", "org/jruby/RubyArray.java:1821:in each'", "C:/Elastic/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.1/lib/logstash/filters/grok.rb:276:in
block in register'", "org/jruby/RubyHash.java:1415:in each'", "C:/Elastic/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.4.1/lib/logstash/filters/grok.rb:271:in
register'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:75:in register'", "C:/Elastic/logstash/logstash-core/lib/logstash/java_pipeline.rb:232:in
block in register_plugins'", "org/jruby/RubyArray.java:1821:in each'", "C:/Elastic/logstash/logstash-core/lib/logstash/java_pipeline.rb:231:in
register_plugins'", "C:/Elastic/logstash/logstash-core/lib/logstash/java_pipeline.rb:590:in maybe_setup_out_plugins'", "C:/Elastic/logstash/logstash-core/lib/logstash/java_pipeline.rb:244:in
start_workers'", "C:/Elastic/logstash/logstash-core/lib/logstash/java_pipeline.rb:189:in run'", "C:/Elastic/logstash/logstash-core/lib/logstash/java_pipeline.rb:141:in
block in start'"], "pipeline.sources"=>["C:/Elastic/logstash/config/configs/access_log.logstash.conf", "C:/Elastic/logstash/config/configs/ohs.logstash.conf"], :thread=>"#<Thread:0x184045f run>"}
[2024-05-22T12:13:52,088][INFO ][logstash.javapipeline ][uat] Pipeline terminated {"pipeline.id"=>"uat"}
[2024-05-22T12:13:52,104][ERROR][logstash.agent ] Failed to execute action {:id=>:uat, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create, action_result: false", :backtrace=>nil}
My config:
if [apache_module] =~ /mod_security/ {
mutate {
add_tag => ["mod_security", "ajax_request"]
}
grok {
match => {
"message" => [
"%{MODSECAPACHEERROR}",
# Mod Serurity
"ModSecurity: %{WORD:security_level}. Operator %{WORD} matched %{INT:maturity_value} at %{NOTSPACE} [file %{QUOTEDSTRING}] [line %{QUOTEDSTRING}] [id %{QUOTEDSTRING}] [msg %{QUOTEDSTRING:msg_value}] [hostname %{QUOTEDSTRING:hostname}] [uri %{QUOTEDSTRING:request}] [unique_id %{QUOTEDSTRING:unique_id}]",
"ModSecurity: %{WORD:security_level}. Operator %{WORD} matched %{INT:maturity_value} at %{NOTSPACE} [file %{QUOTEDSTRING}] [line %{QUOTEDSTRING}] [id %{QUOTEDSTRING}] [rev %{QUOTEDSTRING}] [msg %{QUOTEDSTRING:msg_value}] [severity %{QUOTEDSTRING:severity}] [ver %{QUOTEDSTRING:ver}] [maturity %{QUOTEDSTRING:maturity_value}] [accuracy %{QUOTEDSTRING:accuracy_value}] [tag %{GREEDYDATA:tag}",
# Catch all
"%{GREEDYDATA:message}"
]
}
tag_on_failure =>
overwrite => "message"
}
Could you please help me on this ?
Thanks.