Spurious output from Apache2 module

Hello, all.

Recently, I enabled the Filebeat Apache2 module, in part to capture geoip data. That seems to be working fine. However, I notice that some output looks to be generated because of a misconfiguration somewhere (Logstash filter, perhaps. Here's the issue I'm talking about (from the error.message field :

Provided Grok expressions do not match field value: [ - - [21/Dec/2018:08:29:41 -0500] "GET /server-status?auto= HTTP/1.1" 404 236 "-" "Go-http-client/1.1"]

Here's the relevant (I think) part of my Logstash filter:

filter {
if [fileset][module] == "apache2" {
if [fileset][name] == "access" {
grok {
match => {
"message" => [
"%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} [%{HTTPDATE:[apache2][access][time]}] "%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}" %{NUMBER:[apache2][access][response_code]} (?:%{NUMBER:apache2.access.body_sent.bytes}|-)( "%{DATA:[apache2][access][referrer]}")?( "%{DATA:[apache2][access][agent]}")?",
"%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} [%{HTTPDATE:[apache2][access][time]}] "-" %{NUMBER:[apache2][access][response_code]} -"

  mutate {
    add_field => { "read_timestamp" => "%{@timestamp}" }
  date {
    match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
    remove_field => "[apache2][access][time]"
  useragent {
    source => "[apache2][access][agent]"
    target => "[apache2][access][user_agent]"
    remove_field => "[apache2][access][agent]"
  geoip {
    source => "[apache2][access][remote_ip]"
    target => "[apache2][access][geoip]"


I can't seem to find where, or how, to eliminate that output. I tried filtering it out, but can't make it work.

Your assistance would be most appreciated. I'm happy to provide whatever additional information might be necessary.


Anyone on this?

Where do you have your Logstash configuration from?

Have you tried your log in a grok debugger?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.