integrate CONNECT proxy method parsing to common/combined parser

philhagen · Oct 23, 2018 · c9cbc15 · c9cbc15
1 parent 11a83e3
commit c9cbc15
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 5 deletions.
diff --git a/configfiles/6100-httpd.conf b/configfiles/6100-httpd.conf
@@ -28,21 +28,18 @@ filter {
       match => { "message" =>
         [
           # syslog-based entries, as used on my own servers (HTTP access log pushed via syslog messages)
-          "%{SYSLOGTIMESTAMP} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: %{HOSTNAME:hostname} %{PROXYCONNECT}",
           "%{SYSLOGTIMESTAMP} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: %{HOSTNAME:hostname} %{COMBINEDPROXYLOG_CUSTOM}",
           "%{SYSLOGTIMESTAMP} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: %{HOSTNAME:hostname} %{COMMONPROXYLOG_CUSTOM}",
           "%{SYSLOGTIMESTAMP} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: %{HOSTNAME:hostname} %{COMBINEDAPACHELOG_CUSTOM}",
           "%{SYSLOGTIMESTAMP} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: %{HOSTNAME:hostname} %{COMMONAPACHELOG_CUSTOM}",
 
           # live syslog-based data, partially parsed via the syslog{} input selector
-          "%{HOSTNAME:hostname} %{PROXYCONNECT}",
           "%{HOSTNAME:hostname} %{COMBINEDPROXYLOG_CUSTOM}",
           "%{HOSTNAME:hostname} %{COMMONPROXYLOG_CUSTOM}",
           "%{HOSTNAME:hostname} %{COMBINEDAPACHELOG_CUSTOM}",
           "%{HOSTNAME:hostname} %{COMMONAPACHELOG_CUSTOM}",
 
           # straight-out NCSA combined/common formats.  combined has to go first, since common will match a combined entry as well - and we break on first match
-          "%{PROXYCONNECT}",
           "%{COMBINEDPROXYLOG_CUSTOM}",
           "%{COMMONPROXYLOG_CUSTOM}",
           "%{COMBINEDAPACHELOG_CUSTOM}",

diff --git a/grok-patterns/for572_custom b/grok-patterns/for572_custom
@@ -41,11 +41,10 @@ URIPATH_CUSTOM %{URIPATH}|\*
 
 # custom HTTPD common format (should flow to the combined format) to allow email address as the username, separate out query string from stub request
 HTTPDUSER %{EMAILADDRESS}|%{USER}
-COMMONAPACHELOG_CUSTOM %{IPORHOST:source_ip} %{USER:ident} %{HTTPDUSER:username} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:request_method} (?:%{WORD:protocol}://%{HOSTNAME:hostname}(?::%{POSINT:destination_port})?)?%{URIPATH_CUSTOM:request}(?:\?%{NOTSPACE:query_string})?(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response_code} (?:%{NUMBER:destination_bytes}|-)
+COMMONAPACHELOG_CUSTOM %{IPORHOST:source_ip} %{USER:ident} %{HTTPDUSER:username} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:request_method} (?:%{WORD:protocol}://)?(?:%{HOSTNAME:hostname}(?::%{POSINT:destination_port})?)?(?:%{URIPATH_CUSTOM:request})?(?:\?%{NOTSPACE:query_string})?(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response_code} (?:%{NUMBER:destination_bytes}|-)
 COMMONPROXYLOG_CUSTOM %{COMMONAPACHELOG_CUSTOM} %{WORD:proxy_cachestatus}:%{WORD:proxy_hierarchystatus}
 COMBINEDAPACHELOG_CUSTOM (?:%{COMMONAPACHELOG_CUSTOM}) %{QS:referrer} %{QS:agent}
 COMBINEDPROXYLOG_CUSTOM %{COMBINEDAPACHELOG_CUSTOM} %{WORD:proxy_cachestatus}:%{WORD:proxy_hierarchystatus}
-PROXYCONNECT %{WORD:request_method} %{HOSTNAME:hostname}:%{POSINT:destination_port} HTTP/%{NUMBER:httpversion}
 
 # hours:minutes:seconds, to allow any number of hours
 HMS (?:[0-9]+):%{MINUTE}(?::%{SECOND})(?![0-9])