Provided Grok expressions do not match field value for response code 408

gregbacchus · May 30, 2018, 2:56am

Hi,

I'm using Filebeat 6.2.4 with the apache module (and Apache 2.4.7).
My other_vhosts_access.log contains some logs like below:

my-host-name.com:80 1.2.3.4 - - [30/May/2018:02:14:12 +0000] "-" 408 0 "-" "-"

and when sent into Elasticsearch, it shows with with an error:

Provided Grok expressions do not match field value: [my-host-name.com:80 1.2.3.4 - - [30/May/2018:02:14:12 +0000] \"-\" 408 0 \"-\" \"-\"]

I have identified that this can easily be fixed with a minor tweak to the ingest pipeline by changing

"%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \\[%{HTTPDATE:apache2.access.time}\\] \"-\" %{NUMBER:apache2.access.response_code} -"

to

"%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \\[%{HTTPDATE:apache2.access.time}\\] \"-\" %{NUMBER:apache2.access.response_code} "

(note removal of trailing hyphen).

kvch · June 1, 2018, 9:18am

Do you mind opening a PR for this? Also, what OS are you running Apache on?

gregbacchus · June 6, 2018, 2:04am

Sure. I'll create one shortly. It's running on Ubuntu 14.04.

gregbacchus · June 7, 2018, 10:16pm

system · July 5, 2018, 10:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.