Hi,
I'm using Filebeat 6.2.4 with the apache module (and Apache 2.4.7).
My other_vhosts_access.log contains some logs like below:
my-host-name.com:80 1.2.3.4 - - [30/May/2018:02:14:12 +0000] "-" 408 0 "-" "-"
and when sent into Elasticsearch, it shows with with an error:
Provided Grok expressions do not match field value: [my-host-name.com:80 1.2.3.4 - - [30/May/2018:02:14:12 +0000] \"-\" 408 0 \"-\" \"-\"]
I have identified that this can easily be fixed with a minor tweak to the ingest pipeline by changing
"%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \\[%{HTTPDATE:apache2.access.time}\\] \"-\" %{NUMBER:apache2.access.response_code} -"
to
"%{IPORHOST:apache2.access.remote_ip} - %{DATA:apache2.access.user_name} \\[%{HTTPDATE:apache2.access.time}\\] \"-\" %{NUMBER:apache2.access.response_code} "
(note removal of trailing hyphen
).