Provided Grok expressions do not match field value when apache2 response_code is 304

dulman · April 6, 2017, 4:43pm

Hello,

I'm using Filebeat 5.3.0 with the apache2 module. I'm getting grok expression errors.

Example:

When the following line appears in the access.log:

127.0.0.1 - ironman [06/Apr/2017:18:55:56 +0200] "GET /bundles/4b5a84aaf1c9485e060c503a0ff8cadb.woff2 HTTP/1.1" 200 2153 "https://kibana-url.com:8081/bundles/commons.style.css?v=14823" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"

...all works fine, as of Kibana:

But when the following line appears in the access.log:

127.0.0.1 - hulk [06/Apr/2017:18:55:56 +0200] "GET /bundles/4b5a84aaf1c9485e060c503a0ff8cadb.woff2 HTTP/1.1" 304 - "https://kibana-url.com:8081/bundles/commons.style.css?v=14823" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"

... I'm getting grok expression errors, as of Kibana:

Because the response_code is 304 and the body_sent.bytes are not set (red bordered in my picture).

The grok patterns

... %{NUMBER:apache2.access.response_code} %{NUMBER:apache2.access.body_sent.bytes} ... are not matching.

Version: 5.3.0
Operating System: Amazon Linux (Cent OS 6)
Steps to Reproduce: You can paste the lines from my examples into a file and configure filebeat apache2 module for it

ruflin · April 7, 2017, 11:58am

This sounds like the same issue fix here? https://github.com/elastic/beats/pull/3863 This should be fixed in the upcoming 5.3.1 release.

dulman · April 19, 2017, 2:01pm

ok, Thx!

system · April 27, 2017, 4:43pm

This topic was automatically closed after 21 days. New replies are no longer allowed.