Apache integration Provided Grok expressions do not match field value

[zez3]

I've got some error popping when I started using the Apache Integration:

for log.file.path : /var/log/apache2/access.log :

event.original : 1.1.1.29 - - [13/Nov/2023:10:44:01 +0000] "<SCRIPT>NXSSTEST</SCRIPT> / HTTP/1.1" 400 3386 "-" "-"
error.message : Provided Grok expressions do not match field value: [1.1.1.29 - - [13/Nov/2023:10:44:01 +0000] \"<SCRIPT>NXSSTEST</SCRIPT> / HTTP/1.1\" 400 3386 \"-\" \"-\"]

and

for log.file.path : /var/log/apache2/error.log
event.original : AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
error.message : Provided Grok expressions do not match field value: [AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message]

and

for log.file.path: /var/log/apache2/other_vhosts_access.log
event.original: 127.0.1.1:80 1.1.1.29 - - [13/Nov/2023:10:44:31 +0000] "\x16\x03\x03\x01\x8f\x01" 400 483 "-" "-"
event.original: 127.0.1.1:80 1.1.1.29 - - [13/Nov/2023:10:44:01 +0000] "<SCRIPT>NXSSTEST</SCRIPT> / HTTP/1.1" 400 483 "-" "-"
error.message: Provided Grok expressions do not match field value: [127.0.1.1:80 1.1.1.29 - - [13/Nov/2023:10:44:31 +0000] \"\\x16\\x03\\x03\\x01\\x8f\\x01\" 400 483 \"-\" \"-\"]
error.message: Provided Grok expressions do not match field value: [127.0.1.1:80 130.92.254.29 - - [13/Nov/2023:10:44:01 +0000] \"<SCRIPT>NXSSTEST</SCRIPT> / HTTP/1.1\" 400 483 \"-\" \"-\"]

[zez3]

@andrewkroh can you please flag this as bug and assign a team.
Thanks 🙏

[samhop]

Hi. We are experiencing the same issue. Is this bug being investigated?

event.original: xxx.xx.xxx.xx - - [22/May/2024:08:21:14 +0300] \"\\n\" 400 226 98

error.message: Provided Grok expressions do not match field value: [xxx.xx.xxx.xx - - [22/May/2024:08:21:14 +0300] \"\\n\" 400 226 98]

[harnish-crest-data]

Hi. We are experiencing the same issue. Is this bug being investigated?

event.original: xxx.xx.xxx.xx - - [22/May/2024:08:21:14 +0300] \"\\n\" 400 226 98

error.message: Provided Grok expressions do not match field value: [xxx.xx.xxx.xx - - [22/May/2024:08:21:14 +0300] \"\\n\" 400 226 98]

Found similar issue: #9952

[harnish-crest-data]

Hey @zez3 @samhop,

Can I get the following details for further investigation?

• Apache version that you are using
• Log pattern of the provided logs (access logs and error logs) are default? Are there any modification happened manually in the Apache instance? If yes please let me know.

[zez3]

@harnish-elastic

In my case there was indeed a manual change of the apache format logs. I suppose we would need something more complicated to recognize the patterns

[samhop]

Hey @zez3 @samhop,

Can I get the following details for further investigation?

• Apache version that you are using
• Log pattern of the provided logs (access logs and error logs) are default? Are there any modification happened manually in the Apache instance? If yes please let me know.

We have CustomLog logs/ssl_access_log combined

Server version: Apache/2.4.57 (Red Hat Enterprise Linux)

[harnish-crest-data]

Hey @zez3 @samhop,

For the access logs, I am able to collect data by changing the grok pattern. I will raise PR for it in short time. But for the error logs, Can you please provide me log format as well as the sample logs to debug more?

Also please provide me the access log format that you are using in apache so that we can also re-produce the logs in our enviroment and test the grok!

[zez3]

For the access logs, I am able to collect data by changing the grok pattern.

That was also temporary(on next update they will be gone) my workaround, I just added in logs-apache.access-1.18.0 a second line with my custom format:

%{IPORHOST:source.address} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\] "-" %{NUMBER:http.response.status_code:long} -

and in logs-apache.error-1.18.0 pipeline:

\[%{APACHE_TIME:apache.error.timestamp}\] \[%{DATA:apache.error.module}:%{APACHE_LOGLEVEL:log.level}\] \[pid %{NUMBER:process.pid:long}(:tid %{NUMBER:process.thread.id:long})?\]( \[client %{IPORHOST:source.address}(:%{POSINT:source.port})?\])? %{GREEDYDATA:message}

but I think we need a different solution so that any user can easily customize this in the custom pipeline logs-apache.access@custom respectively logs-apache.error@custom

@andrewkroh What do you think? would something like this be possible?

[harnish-crest-data]

Hey @zez3 @samhop,

I have raised draft PR for access log grok support #10228.

For the error logs I still need raw logs as well as apache instance error log pattern to create generic grok pattern in elastic. Can you please provide me so that I can investigate more?

[harnish-crest-data]

Hey @zez3 @samhop,

I have raised draft PR for access log grok support #10228.

For the error logs I still need raw logs as well as apache instance error log pattern to create generic grok pattern in elastic. Can you please provide me so that I can investigate more?

Hey @zez3 @samhop Do I have any updates?