-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing IIS file format #278
Comments
quite likely a Grok bug. have you run that Grok statement in the debugger within Kibana? I usually test new Grok parsers one field at a time to find which one breaks, then adjust as needed. |
if you can post a few lines (sanitized is ok), I can try to take a look show you the debug process here as well |
That's neat, didn't know that existed. I'd tested with something similar but news to me that there was a debugger built in to Kibana. From what I can see, the Grok seems to function as expected. I neutered a decent chunk of data for testing and it seems consistently successful.
|
just pushed a change to the latest public branch in ce4fea7. I think the ingest timestamps you were seeing may have been from an older data load because the (admittedly oddball) problem with your grok was that the X-Forwarded-For IP address being a That said, this version should handle your format for you! |
Thank you! Really appreciate the assistance. I just updated and gave it a go, but doesn't seem to ingest at all now. Tested with a sanitized version so I could share. Worst case I can stand up a fresh instance and give it another go but I haven't made any changes to the VM other than adding data and updating sof-elk itself. Any ideas? |
what version of the VM are you using? (it's shown in the pre-authentication screen.) the changes were pushed to the latest public version (2023-04-19). I generally push updates just to the newest version but this is very small so I could merge the update to a different one if needed. either way, the result from the update command shows that the VM is not getting the updated parser. |
Sorry, that was the second time I ran the update so it doesn't appear to have done anything but is in fact up to date. I was just trying to provide evidence (I confirmed the additional grok expression was in the httpd config file). I just grabbed a fresh version of the VM the other day so it's revision 2023-04-19. |
Roger - thanks for clarifying! I've run the sanitized data from your earlier post through and it worked so I'm not sure what the problem may be. Are you putting the input data into a new file or overwriting an existing one? (The latter generally won't trip the filebeat prospectors to get the new content.). If you do something like |
You bet! And I figured you had :) Seems even with the fresh copy in /logstash/httpd/ it still isn't picking anything up. At this point I'm tempted to spin up a new instance and try from the start as it seems like something particular to my instance. |
what about permissions? can the |
I had the files directly in |
ugh - well this is exceptionally frustrating. Sorry to hear it's persisting. Could you try the load on a clean instance (ideally freshly-extracted and updated), and send the following log files via email?
Also, let me know the approximate UTC time that you added the file to load. |
Sorry for the delay. Just sent you over an email with the requested log files. Thanks for all the help through this! |
Thanks! Closing the loop in the thread that this should be all fixed up now. Corrected the embarrassingly missing comma in 761535b. |
Thanks for all the help! Confirmed ingest is functioning as expected. |
I was attempting to ingest some logs with an updated version of the sof-elk VM with the following format:
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken X-Forwarded-For X-Forwarded-Proto x-SSL-Ver Crypt-Protocol
Currently, the logs ingest, but all the timestamps are set to ingest time and none of the fields are mapping correctly so I think that the parsers just aren't sure how to handle the format.
I think I have a functional grok expression to handle them... but doesn't seem to parse the logs I have when adding it to the 6100=httpd.conf on the VM. Very likely that user error is involved here... new to ELK and grok. What I believe to be a good grok expression for the aforementioned format below.
%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:service_name} %{NOTSPACE:server_hostname} %{IPORHOST:destination_ip} %{WORD:request_method} %{URIPATH:request} %{NOTSPACE:query_string} %{NUMBER:destination_port} %{NOTSPACE:ident} %{IPORHOST:source_ip} %{NOTSPACE:version} %{NOTSPACE:useragent} %{NOTSPACE:referrer} %{NOTSPACE:hostname} %{NUMBER:response_code} %{NUMBER:response_sub} %{NUMBER:win_status} %{NUMBER:destination_bytes} %{NUMBER:source_bytes} %{NUMBER:response_time} %{NOTSPACE:x_source_ip} %{NOTSPACE:x_protocol} %{NOTSPACE:ssl_version} %{NOTSPACE:crypt_protocol}
The text was updated successfully, but these errors were encountered: