Grokparsefailure on COMBINEDAPACHELOG not matching empty USER with quotes

I have noticed that this line in access.log is getting a _grokparsefailure : - "" [18/Mar/2019:13:24:42 +0000] "GET /manager/html HTTP/1.1" 200 2756 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"

whereas most lines in the log are OK. Line like this, where there are two hyphens in 2nd and 3rd places: - - [18/Mar/2019:14:34:48 +0000] "GET /en/login HTTP/1.1" 200 5087 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +"

I had a look at the pattern definition here:

I found that the third item, which is "" on these lines but just a hypen normally (99% of the time) is the USER pattern, defined as:

USERNAME [a-zA-Z0-9._-]+

Rare but annoying. If a "" is a valid output in the Apache logs, shouldn't COMBINEDAPACHELOG handle this?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.