Hello, all.
Recently, I enabled the Filebeat Apache2 module, in part to capture geoip data. That seems to be working fine. However, I notice that some output looks to be generated because of a misconfiguration somewhere (Logstash filter, perhaps. Here's the issue I'm talking about (from the error.message field :
Provided Grok expressions do not match field value: [127.0.0.1 - - [21/Dec/2018:08:29:41 -0500] "GET /server-status?auto= HTTP/1.1" 404 236 "-" "Go-http-client/1.1"]
Here's the relevant (I think) part of my Logstash filter:
filter {
if [fileset][module] == "apache2" {
if [fileset][name] == "access" {
grok {
match => {
"message" => [
"%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} [%{HTTPDATE:[apache2][access][time]}] "%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}" %{NUMBER:[apache2][access][response_code]} (?:%{NUMBER:apache2.access.body_sent.bytes}|-)( "%{DATA:[apache2][access][referrer]}")?( "%{DATA:[apache2][access][agent]}")?",
"%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} [%{HTTPDATE:[apache2][access][time]}] "-" %{NUMBER:[apache2][access][response_code]} -"
]
}
}mutate { add_field => { "read_timestamp" => "%{@timestamp}" } } date { match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ] remove_field => "[apache2][access][time]" } useragent { source => "[apache2][access][agent]" target => "[apache2][access][user_agent]" remove_field => "[apache2][access][agent]" } geoip { source => "[apache2][access][remote_ip]" target => "[apache2][access][geoip]" } }}
I can't seem to find where, or how, to eliminate that output. I tried filtering it out, but can't make it work.
Your assistance would be most appreciated. I'm happy to provide whatever additional information might be necessary.
Dimitri