Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Apache HTTP Server]: IP/port not identified in error log if source port is 0 #11682

Open
moonsoftsrl opened this issue Nov 9, 2024 · 0 comments
Open

[Apache HTTP Server]: IP/port not identified in error log if source port is 0 #11682

moonsoftsrl opened this issue Nov 9, 2024 · 0 comments
Labels
Integration:apache Apache HTTP Server needs:triage Team:Obs-InfraObs Label for the Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations]

Comments

@moonsoftsrl
Copy link

moonsoftsrl commented Nov 9, 2024
edited
Loading

Integration Name

Apache HTTP Server [apache]

Dataset Name

apache.error

Integration Version

1.26.0

Agent Version

8.15.3

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.3

OS Version and Architecture

Ubuntu 24.04.1 LTS (x86_64)

Software/API Version

No response

Error Message

No response

Event Original

No response

What did you do?

Standard configuration - not too relevant is this is specifically related to the Ingest Pipeline.

What did you see?

In some cases the error log message generated by apache contains the source ip:port where the port is reported as 0 (e.g. [client 10.0.72.199:0]).

This is a single record of the log

[Sat Nov 09 11:35:11.020036 2024] [php7:warn] [pid 109103:tid 109103] [client 10.0.72.199:0] PHP Warning:  fopen(/var/www/html/): failed to open stream: No such file or directory in ...

The actual ingest pipeline use this pattern to identify che client ip:port (if present)

integrations/packages/apache/data_stream/error/elasticsearch/ingest_pipeline/default.yml

Lines 28 to 30 in 6097db7

- (\[%{APACHE_TIME:apache.error.timestamp}\] )?(\[%{DATA:apache.error.module}:%{APACHE_LOGLEVEL:log.level}\]
\[pid %{NUMBER:process.pid:long}(:tid %{NUMBER:process.thread.id:long})?\](
\[client %{IPORHOST:source.address}(:%{POSINT:source.port})?\])? )?%{GREEDYDATA:message}

The POSINT pattern break the identification of the string [client 10.0.72.199:0] so source.address and source.port are not being populated and all became part of the message.

This is the structured data
Image

What did you expect to see?

For this kind of log

[Sat Nov 09 11:35:11.020036 2024] [php7:warn] [pid 109103:tid 109103] [client 10.0.72.199:0] PHP Warning:  fopen(/var/www/html/): failed to open stream: No such file or directory in ...

The correct structured data is
Image

The NONNEGINT pattern matches non-negative integers including zero while POSINT matches positive integers only.

Anything else?

I have made the suggested change in my instance of Elasticsearch and all worked as expected.

I have already committed the code in my forked project, and I would be happy to contribute with the appropriate pull request.
@andrewkroh andrewkroh added Integration:apache Apache HTTP Server Team:Obs-InfraObs Label for the Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] labels Nov 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Integration:apache Apache HTTP Server needs:triage Team:Obs-InfraObs Label for the Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewkroh @moonsoftsrl