Provided Grok expressions do not match field value on Filebeat 7.4.0

Hi I have seen that this was a problem on older versions of filbeat, but I just installed filebeat 7.4.0 and the server is running httpd-2.4.6-88.el7.centos.x86_64. I have pointed the log files on the apache module configuration and I have this message on my documents. I looked at the apache module documentation and it says to support logs from versions 2.2.22 and 2.4.23. I understand that the versions starting from 2.2.22 to 2.4.23 should be covered right? Thanks!! :+1:

{
  "_index": "filebeat-7.4.0-2019.10.16-000001",
  "_type": "_doc",
  "_id": "uz0O1m0BTcFX_Rs6XqCZ",
  "_version": 1,
  "_score": null,
  "_source": {
    "agent": {
      "hostname": "XXXXXXXXXXXX",
      "id": "2a9a85b3-f524-45c9-82d0-4af921efbc62",
      "type": "filebeat",
      "ephemeral_id": "b582adfa-6105-4fbb-b7c6-6dd15af000b9",
      "version": "7.4.0"
    },
    "log": {
      "file": {
        "path": "/var/log/httpd/access_log-20191013"
      },
      "offset": 810372
    },
    "message": "62.XXX.250.XXX - - [07/Oct/2019:13:33:50 -0300] \"\\x03\" 400 226 \"-\" \"-\"",
    "fileset": {
      "name": "access"
    },
    "error": {
      "message": "Provided Grok expressions do not match field value: [62.XXX.250.XXX - - [07/Oct/2019:13:33:50 -0300] \\\"\\\\x03\\\" 400 226 \\\"-\\\" \\\"-\\\"]"
    },
    "tags": [
      "XXXXXXX"
    ],
    "input": {
      "type": "log"
    },
    "@timestamp": "2019-10-16T19:29:30.410Z",
    "ecs": {
      "version": "1.1.0"
    },
    "service": {
      "type": "apache"
    },
    "host": {
      "hostname": "XXXXXXXXXXX",
      "os": {
        "kernel": "3.10.0-514.el7.x86_64",
        "codename": "Core",
        "name": "CentOS Linux",
        "family": "redhat",
        "version": "7 (Core)",
        "platform": "centos"
      },
      "containerized": false,
      "name": "XXXXXXXXX",
      "id": "6e5a299b79e44c548898e1d550bff223",
      "architecture": "x86_64"
    },
    "event": {
      "module": "apache",
      "dataset": "apache.access"
    }
  },
  "fields": {
    "suricata.eve.timestamp": [
      "2019-10-16T19:29:30.410Z"
    ],
    "@timestamp": [
      "2019-10-16T19:29:30.410Z"
    ]
  },
  "sort": [
    1571254170410
  ]
}

I verified this in filebeat with the message you gave and grok pattern failed. The reason why it failed is because the \"\\x03\" part in the log message. Could you give more information on what \"\\x03\"is please? I see in some access log example, after the timestamp, it follows with the http request method. It would be helpful if we know what's \"\\x03\" in this case. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.