Hi I have seen that this was a problem on older versions of filbeat, but I just installed filebeat 7.4.0 and the server is running httpd-2.4.6-88.el7.centos.x86_64. I have pointed the log files on the apache module configuration and I have this message on my documents. I looked at the apache module documentation and it says to support logs from versions 2.2.22 and 2.4.23. I understand that the versions starting from 2.2.22 to 2.4.23 should be covered right? Thanks!!
{
"_index": "filebeat-7.4.0-2019.10.16-000001",
"_type": "_doc",
"_id": "uz0O1m0BTcFX_Rs6XqCZ",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"hostname": "XXXXXXXXXXXX",
"id": "2a9a85b3-f524-45c9-82d0-4af921efbc62",
"type": "filebeat",
"ephemeral_id": "b582adfa-6105-4fbb-b7c6-6dd15af000b9",
"version": "7.4.0"
},
"log": {
"file": {
"path": "/var/log/httpd/access_log-20191013"
},
"offset": 810372
},
"message": "62.XXX.250.XXX - - [07/Oct/2019:13:33:50 -0300] \"\\x03\" 400 226 \"-\" \"-\"",
"fileset": {
"name": "access"
},
"error": {
"message": "Provided Grok expressions do not match field value: [62.XXX.250.XXX - - [07/Oct/2019:13:33:50 -0300] \\\"\\\\x03\\\" 400 226 \\\"-\\\" \\\"-\\\"]"
},
"tags": [
"XXXXXXX"
],
"input": {
"type": "log"
},
"@timestamp": "2019-10-16T19:29:30.410Z",
"ecs": {
"version": "1.1.0"
},
"service": {
"type": "apache"
},
"host": {
"hostname": "XXXXXXXXXXX",
"os": {
"kernel": "3.10.0-514.el7.x86_64",
"codename": "Core",
"name": "CentOS Linux",
"family": "redhat",
"version": "7 (Core)",
"platform": "centos"
},
"containerized": false,
"name": "XXXXXXXXX",
"id": "6e5a299b79e44c548898e1d550bff223",
"architecture": "x86_64"
},
"event": {
"module": "apache",
"dataset": "apache.access"
}
},
"fields": {
"suricata.eve.timestamp": [
"2019-10-16T19:29:30.410Z"
],
"@timestamp": [
"2019-10-16T19:29:30.410Z"
]
},
"sort": [
1571254170410
]
}