HTTPD24_ERRORLOG grok pattern issues

I am having trouble getting the HTTPD24_ERRORLOG to work when the module field is blank
it works great in the kibana tester but not in logstash
i get a grokparsefailue
ls config
input {
stdin{}
}
filter{
grok{
match => ["message","%{HTTPD24_ERRORLOG}"]
}
}
output{
stdout{}
}

Log that works for me
[Wed Nov 13 12:39:08.474388 2019] [test:error] [pid 9637] [client 176.10.104.240:42390] script '/home/mydomain.com/public_html/wp-config.php.o' not found or unable to stat

Log that does not work
[Wed Nov 13 12:39:08.474388 2019] [:error] [pid 9637] [client 176.10.104.240:42390] script '/home/mydomain.com/public_html/wp-config.php.o' not found or unable to stat

not sure if this is a problem with the pattern or my logstash.
logstash 7.4.2

The module field is not optional, so I would not expect it to match if it is missing.

well plenty of my logs have it blank.
like 90% of them.
also it seems to work fine in the kibana tester without it.
it must use another grok engine.
do you know what settings in httpd will force something there?

No, but the pattern is defined as

\[%{HTTPDERROR_DATE:timestamp}\] \[%{WORD:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}(:tid %{NUMBER:tid})?\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_message}:)?( \[client %{IPORHOST:clientip}:%{POSINT:clientport}\])?( %{DATA:errorcode}:)? %{GREEDYDATA:message}

You could just define a new pattern that is

\[%{HTTPDERROR_DATE:timestamp}\] \[(%{WORD:module})?:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}(:tid %{NUMBER:tid})?\]( \(%{POSINT:proxy_errorcode}\)%{DATA:proxy_message}:)?( \[client %{IPORHOST:clientip}:%{POSINT:clientport}\])?( %{DATA:errorcode}:)? %{GREEDYDATA:message}

Thank you so much.
this seems to work.
i need to work on getting more familiar with the grok syntax.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.