- Notifications
You must be signed in to change notification settings - Fork545
[O11y][Apache] Update grok pattern for access and error log data streams#10228
Conversation
elasticmachine commentedJun 24, 2024 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
🚀 Benchmarks reportTo see the full report comment with |
…pache-access-logsConflicts:packages/apache/_dev/build/docs/README.mdpackages/apache/changelog.ymlpackages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.jsonpackages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.jsonpackages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.jsonpackages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.jsonpackages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.jsonpackages/apache/data_stream/access/fields/ecs.ymlpackages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.jsonpackages/apache/docs/README.md
kush-elastic left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
LGTM!
| ignore_missing: true | ||
| on_failure: | ||
| - set: | ||
| field: tmp_host |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Are we removing thetmp_host field after processing is done?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
No, it will be automatically removed by null processor as we are setting it's value to empty string. The reason behind this thing is, we need to do swapping up the source.address value!
| [Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd' | ||
| [Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 89.160.20.156] File does not exist: /usr/local/apache2/htdocs/favicon.ico | ||
| [Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 89.160.20.156:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html | ||
| AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Is this a valid error log message? Does this entry doesn't log the timestamp?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Please checkoutthis quote that I have already attached in the description. This is warning log that is coming in the error log file and this log is the main reason of failure in the grok pattern!
| "preserve_original_event" | ||
| ] | ||
| }, | ||
| { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Did we try loading this document without@timestamp field in the dashboard? What happens if the user is trying to filter data for a specific time range in discover or in the dashboard?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Yes we have tried this and if there are no timestamp present, it will take the doc ingestion time.
muthu-mps commentedJul 17, 2024
Are we supportingthis log format as well? |
harnish-crest-data commentedJul 17, 2024
Yes we are supporting this log format. Let me update the same in pipeline tests! |
muthu-mps commentedJul 17, 2024
Can you update the sample log in the pipeline test? |
harnish-crest-data commentedJul 17, 2024
Updated, thanks! |
| @@ -23,30 +25,49 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | |||
| Supported format for the access logs are: | |||
| - [Common Log Format](https://en.wikipedia.org/wiki/Common_Log_Format) | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Please change the reference link to point to the official Apache documentation.
Verify the link below, if its not specific to a release version we can include the below link for reference.
common log format
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Updated, thanks!
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com>
muthu-mps left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
LGTM!
…pache-access-logsConflicts:packages/apache/changelog.yml
elasticmachine commentedJul 22, 2024
💚 Build Succeeded
History
cc @harnish-elastic |
elasticmachine commentedJul 22, 2024
Package apache - 1.23.0 containing this change is available athttps://epr.elastic.co/search?package=apache |
Uh oh!
There was an error while loading.Please reload this page.
Proposed commit message
%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"%A:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"%h:%p %l %u %t \"%{req}i %U %H\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"Checklist
changelog.ymlfile.Related issues