New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
web_log reports unmatched lines #2295
Comments
@l2isbad have a look... |
Well, how they should be parsed? |
hm... the request URL is funny for sure, but the rest of the data seem ok. Generally speaking, we should try to match 100% of the log. A vulnerability scan, or attack that is not matched, will prevent an alarm from triggering. If we decide to ignore funny, but legit, log lines, we should add an alarm for the unmatched entries. I can do this. But I think we should first attempt to match the lines. If this is impossible or unreasonably hard, I will add the alarm. |
nginx_ext_insert = re.compile(r'(?P<address>[\da-f.:]+)'
r' -.*?"(?P<method>[A-Z]+)' # <- not matches
r' (?P<url>[^ ]+)'
r' [A-Z]+/(?P<http_version>\d\.\d)"' # <- not matches
r' (?P<code>[1-9]\d{2})'
r' (?P<bytes_sent>\d+)'
r' (?P<resp_length>\d+)'
r' (?P<resp_time>\d+\.\d+) ') "\x15\x03\x01\x00 N\x87\x98\x04l5\xAF\x89\x92\xF7\xDB\xB9 \xD1\xF3\xFF\xBAa" |
hm... if we match them, the charts that show these will become full of garbage dimensions. |
@l2isbad before adding the alarm, one last thought: What if we turn We could then an alarm for What do you think? |
I thought about it but "$request" (which parsed as |
But yes, you can mark the issue as 'enhancement'. |
ok |
Currently netdata team doesn't have enough capacity to work on this issue. We will be more than glad to accept a pull request with a solution to problem described here. This issue will be closed after another 60 days of inactivity. |
So, we don't have an alarm for unmatched entries? |
Yes |
web_log plugin reports unmatched lines.
This is my log:
It seems someone is trying to scan our web servers to find vulnerabilities!!
Nginx responded requests with 400, but Netdata shows unmatched for them.
The text was updated successfully, but these errors were encountered: