[O11y][Apache] Update grok pattern for access and error log data streams #10228
Conversation
🚀 Benchmarks reportTo see the full report comment with |
harnish-crest-data
changed the title
…pache-access-logs Conflicts: packages/apache/_dev/build/docs/README.md packages/apache/changelog.yml packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json packages/apache/data_stream/access/fields/ecs.yml packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json packages/apache/docs/README.md
| ignore_missing: true | ||
| on_failure: | ||
| - set: | ||
| field: tmp_host |
There was a problem hiding this comment.
Are we removing the tmp_host field after processing is done?
There was a problem hiding this comment.
No, it will be automatically removed by null processor as we are setting it's value to empty string. The reason behind this thing is, we need to do swapping up the source.address value!
| @@ -2,3 +2,4 @@ | |||
| [Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd' | |||
| [Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 89.160.20.156] File does not exist: /usr/local/apache2/htdocs/favicon.ico | |||
| [Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 89.160.20.156:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html | |||
| AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message | |||
There was a problem hiding this comment.
Is this a valid error log message? Does this entry doesn't log the timestamp?
There was a problem hiding this comment.
Please checkout this quote that I have already attached in the description. This is warning log that is coming in the error log file and this log is the main reason of failure in the grok pattern!
| @@ -184,6 +184,24 @@ | |||
| "tags": [ | |||
| "preserve_original_event" | |||
| ] | |||
| }, | |||
| { | |||
There was a problem hiding this comment.
Did we try loading this document without @timestamp field in the dashboard? What happens if the user is trying to filter data for a specific time range in discover or in the dashboard?
There was a problem hiding this comment.
Yes we have tried this and if there are no timestamp present, it will take the doc ingestion time.
|
Are we supporting this log format as well? |
Yes we are supporting this log format. Let me update the same in pipeline tests! |
Can you update the sample log in the pipeline test? |
Updated, thanks! |
| @@ -23,30 +25,49 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | |||
| Supported format for the access logs are: | |||
|
|
|||
| - [Common Log Format](https://en.wikipedia.org/wiki/Common_Log_Format) | |||
There was a problem hiding this comment.
-
Please change the reference link to point to the official Apache documentation.
-
Verify the link below, if its not specific to a release version we can include the below link for reference.
common log format
There was a problem hiding this comment.
Updated, thanks!
Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
andrewkroh
added
Integration:apache
…pache-access-logs Conflicts: packages/apache/changelog.yml
💚 Build Succeeded
History
cc @harnish-elastic |
|
|
Package apache - 1.23.0 containing this change is available at https://epr.elastic.co/search?package=apache |
Proposed commit message
%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"%A:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"%h:%p %l %u %t \"%{req}i %U %H\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"Checklist
changelog.ymlfile.Related issues