Haproxy module with master version

pollux · September 11, 2018, 9:01am

HI,

I compiled filebeat from master (go get + make) and it works. I launch filebeat with the haproxy module. The conf is:

module: haproxy
http:
enabled: true
var.input: "file"
var.paths: ["/var/log/haproxy.log"]

The haproxy is from debian repo, v1.5.8. The only thing that I have about log in my haproxy.cfg is

global
   log /dev/log    local0
   log /dev/log    local1 notice

In elasticsearch I have this error:

Provided Grok expressions do not match field value: [Sep 11 10:43:06 pompom haproxy[666]: 8.8.8.8 - - [11/Sep/2018:08:43:06 +0000] \\\"GET / HTTP/1.1\\\" 200 457 \\\\\\\"\\\\\\\" \\\\\\\"\\\\\\\" 42070 \\\\098 \\\"https~\\\" \\\"vm-abc\\\" \\\"vm-abc\\\" \\\\86 0 1 15 104 ---- 1 1 \\\\0 1 0 0 0 \\\"\\\" \\\"\\\" \\\\ ]

I know that haproxy is still alpha, do you think it worth opening an issue in github ?

pierhugues · September 11, 2018, 3:35pm

@pollux it's worth creating a new issue with your log attached.

I think our grok patterns are not general enough to support every case.

github.com

elastic/beats/blob/master/filebeat/module/haproxy/http/ingest/pipeline.json#L7-L8


"(%{NOTSPACE:haproxy.process_name}\\[%{NUMBER:haproxy.pid:int}\\]: )?%{IP:haproxy.client_ip}:%{NUMBER:haproxy.client_port:int} \\[%{NOTSPACE:haproxy.http.request_date}\\] %{NOTSPACE:haproxy.frontend_name} %{NOTSPACE:haproxy.backend_name}/%{NOTSPACE:haproxy.server_name} %{NUMBER:haproxy.time_client_req:int}/%{NUMBER:haproxy.time_queue:int}/%{NUMBER:haproxy.time_backend_connect:int}/%{NUMBER:haproxy.time_server_response:int}/%{NUMBER:haproxy.time_duration:int} %{NUMBER:haproxy.http.response.status_code:int} %{NUMBER:haproxy.http.response.bytes_read:int} %{NOTSPACE:haproxy.http.request.captured_cookie} %{NOTSPACE:haproxy.http.response.captured_cookie} %{NOTSPACE:haproxy.termination_state} %{NUMBER:haproxy.connections.active:int}/%{NUMBER:haproxy.connections.frontend:int}/%{NUMBER:haproxy.connections.backend:int}/%{NUMBER:haproxy.connections.server:int}/%{NUMBER:haproxy.connections.retries:int} %{NUMBER:haproxy.server_queue:int}/%{NUMBER:haproxy.backend_queue:int} \\{%{DATA:haproxy.http.request.captured_headers}\\} \\{%{DATA:haproxy.http.response.captured_headers}\\} \"%{GREEDYDATA:haproxy.http.request.raw_request_line}\"",
"(%{NOTSPACE:haproxy.process_name}\\[%{NUMBER:haproxy.pid:int}\\]: )?%{IP:haproxy.client_ip}:%{NUMBER:haproxy.client_port:int} \\[%{NOTSPACE:haproxy.http.request_date}\\] %{NOTSPACE:haproxy.frontend_name}/%{NOTSPACE:haproxy.bind_name} %{GREEDYDATA:haproxy.error_message}"

pollux · September 13, 2018, 8:34am

In this case, this is the standard logs from haproxy (debian-packaged) I don't know if debian change anything to the default config (this is sad but it could).

Issue: https://github.com/elastic/beats/issues/8301

system · October 11, 2018, 8:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.