You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
i have issues with our ELK stack analyzing some httpd logs. For users that are authenticated with their email address (see sample data) the filter does not work. Some info on the environment:
Version: all 5.2
Operating System: Docker containers running on CentOS 7
Sample Data:
Working sample data: 123.123.123.123 - bvonstvieth [08/Feb/2017:14:32:15 +0100] "PROPFIND /remote.php/webdav/ HTTP/1.1" 207 408 "-" "Mozilla/5.0 (Macintosh) mirall/2.2.4 (build 3709)"
Not working data leading to _grokparsefailure: 123.123.123.123 - [email protected] [08/Feb/2017:13:50:14 +0100] "PROPFIND /remote.php/webdav/ HTTP/1.1" 207 389 "-" "Mozilla/5.0 (Macintosh) mirall/2.2.4 (build 3709)"
Steps to Reproduce:
Put logstash on /var/log/httpd and see what happens.
Taking a look at logstash-patterns-core and copying it to my grok filter makes it working, but shouldn't it be already in place? match => [ "message" , "%{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)" ]
The text was updated successfully, but these errors were encountered:
Hi,
i have issues with our ELK stack analyzing some httpd logs. For users that are authenticated with their email address (see sample data) the filter does not work. Some info on the environment:
Working sample data:
123.123.123.123 - bvonstvieth [08/Feb/2017:14:32:15 +0100] "PROPFIND /remote.php/webdav/ HTTP/1.1" 207 408 "-" "Mozilla/5.0 (Macintosh) mirall/2.2.4 (build 3709)"
Not working data leading to _grokparsefailure:
123.123.123.123 - [email protected] [08/Feb/2017:13:50:14 +0100] "PROPFIND /remote.php/webdav/ HTTP/1.1" 207 389 "-" "Mozilla/5.0 (Macintosh) mirall/2.2.4 (build 3709)"
Put logstash on /var/log/httpd and see what happens.
Taking a look at logstash-patterns-core and copying it to my grok filter makes it working, but shouldn't it be already in place?
match => [ "message" , "%{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)" ]
The text was updated successfully, but these errors were encountered: