Filebeat: 7.9.2
We are using a custom log format for Apache. The filebeat apache module (i.e. /usr/share/filebeat/module/apache/access/ingest/pipeline.yml) is updated with a single Grok expression that matches our custom log format. We are running this on kubernetes and all logs go to stdout.
Every request to our Apache servers is creating three ES entries:
- A copy of the request from stdout
- A correctly parsed version of the Apache request
- An entry that says
Provided Grok expressions do not match field value
The Apache logs are being parsed correctly but there is still an error saying Provided Grok expressions do not match field value. My best guess is that two (or three) Filebeat pipelines are being applied to every Apache log line. How would I track down this issue?