-
Notifications
You must be signed in to change notification settings - Fork 468
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support for vhost:port in common/combined log formats #2688
Conversation
This user does not have permission to start the build. Can one of the admins verify this patch and start the build? |
1 similar comment
This user does not have permission to start the build. Can one of the admins verify this patch and start the build? |
@kira-syslogng ok to test |
Build SUCCESS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me. There are some white space only changes, maybe tab to space conversion, that could perhaps be removed, but it's ok this way, as that's only a few lines.
I didn't exlicitly check that this is indeed the Apache combined format but i trust you it is.
i used four spaces for indenting instead of tabs, what is your convention? |
4 spaces is much better than a tab. So this change is welcome.
…On Sat, Apr 20, 2019, 16:50 nambrosch ***@***.*** wrote:
i used four spaces for indenting instead of tabs, what is your convention?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2688 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFOK5SS4GU4XBF5GTDU7BDPRMUS5ANCNFSM4HHEHWWA>
.
|
Signed-off-by: Nik Ambrosch <nik@ambrosch.com>
Build SUCCESS |
The patch itself looks good to me. I just have one question for clarification.
Could you explain what do you mean by unofficial format? I tried to investigate, and here is what I found. According to the documentation, the official combined log format is
which is different than the introduced version. I fired up an apache server on centos:7 in docker, and they use the official format above. So what is happening here is that some distributions deviate from the official log format? And the goal here is to support those distributions too? Out of curiosity, which distribution do you use? Btw, I do not have problem with that. I like the idea that syslog-ng should work out of the box, and support the deviations of major distributions. |
scl/apache/apache.conf
Outdated
|
||
# if traditional log format |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From clean code point of view, instead of this comment, you could give a name to these parser blocks. Analogously to
block parser apache-accesslog-parser(prefix(".apache.") template("${MESSAGE}"))
you could extract these branches into apache-access-log-traditional-part
and apache-access-log-combined-part
. That would make the scl a little more readable. As maybe there are other distributions with different format, it would be easier to extend later on.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't aware that ubuntu has this LogFormat already available, thanks for pointing it out. Fedora/CentOS does not include this format. It might make more sense to reference the name as vhost_combined instead of vcombined.
Shifting from 1 -> 3 blocks is a good idea, I'll explore that tonight.
Using one block for each log format makes extending easier. Signed-off-by: Nik Ambrosch <nik@ambrosch.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@furiel split the blocks per your suggestion.
Build SUCCESS |
Hi,
This looks better indeed @furiel. Another layer of refinement occured to
me, but instead of describing it in email, here's the patch. I am sure
@nambrosch is a bit fed up with all the improvements :) can you still apply
this to your solution?
Basically I've moved the filter to apache-accesslog-parser-vhost(), which
will drop all messages that don't match the required format. I've also
fixed a bug, so that template() option to
apache-accesslog-parser-combined() actually uses that value, instead of
hard-coding $1.
I didn't test this this round, so it'd be appreciated if you could
doublecheck that it still works for you.
```
diff --git a/scl/apache/apache.conf b/scl/apache/apache.conf
index 440e64269..9046f2452 100644
--- a/scl/apache/apache.conf
+++ b/scl/apache/apache.conf
@@ -25,6 +25,10 @@
# LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b" vhost_common
block parser apache-accesslog-parser-vhost(prefix() template()) {
channel {
+ rewrite {
+ set("`template`" value("1"));
+ };
+ filter { match("^[A-Za-z0-9\-\._]+:[0-9]+ " value("1")); };
parser {
csv-parser(
dialect(escape-double-char)
@@ -59,7 +63,7 @@ block parser apache-accesslog-parser-combined(prefix()
template()) {
dialect(escape-double-char)
flags(strip-whitespace)
delimiters(" ")
- template($1)
+ template(`template`)
quote-pairs('""[]')
columns("clientip", "ident", "auth",
"timestamp", "rawrequest", "response",
@@ -69,14 +73,12 @@ block parser apache-accesslog-parser-combined(prefix()
template()) {
};
block parser apache-accesslog-parser(prefix(".apache.")
template("${MESSAGE}")) {
+ # parse into a logstash-like schema
+ #
https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns#L90
channel {
- rewrite {
- set("`template`" value("1"));
- };
# parser for formats including vhost:port
if {
- filter { match("^[A-Za-z0-9\-\._]+:[0-9]+ " value("1")); };
parser { apache-accesslog-parser-vhost(prefix(`prefix`)
template("$1")); };
# parser for standard formats
@@ -84,7 +86,8 @@ block parser apache-accesslog-parser(prefix(".apache.")
template("${MESSAGE}"))
parser { apache-accesslog-parser-combined(prefix(`prefix`)
template("$1")); };
};
- # parser for all formats
+ # mungle values to match Kibana/elastic schema and common to all
+ # supported formats.
parser {
csv-parser(
prefix(`prefix`)
```
…On Mon, Apr 22, 2019 at 8:21 PM kira-syslogng ***@***.***> wrote:
Build SUCCESS
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2688 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFOK5Q3LIEYE6RN62HYKV3PRX63NANCNFSM4HHEHWWA>
.
|
Here's that last branch as a git branch, feel free to integrate it into yours. https://github.com/bazsi/syslog-ng/tree/apache-access-log-parser-improvements |
@bazsi i'm still using $1 two more times in moving the filter and changing $1 -> |
Signed-off-by: Balazs Scheidler <balazs.scheidler@oneidentity.com>
Signed-off-by: Balazs Scheidler <balazs.scheidler@oneidentity.com>
I have just added a few more patches on top of the initial patch and sent a PR to @nambrosch With those patches this has my approval and I think it would be great if we could merge them by 3.21 Alternatively, we could my branch directly, it contains both this patch and my improvements |
@bazsi Thanks, I'm happy with those changes - confirmed it works on a fedora host and merged the PR. |
Build SUCCESS |
Btw, I implemented a template () option for match () to make these use
cases easier to implement, but this can be merged as is, we could
eventually make use of that in this parser as well.
I hope I can publish that branch once I finished the tests.
Bazsi
…On Mon, Apr 29, 2019, 02:04 kira-syslogng ***@***.*** wrote:
Build SUCCESS
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2688 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFOK5WUT2ZMZEMM24EYZQ3PSY3Q3ANCNFSM4HHEHWWA>
.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved. It would be nice if you could get rid off the merge commit within the branch, just make sure its a set of linear patches.
Thanks. Is it possible to remove that? I think trying to revert the merge commit in nambrosch/syslog-ng creates an additional PR, no? |
@nambrosch you should be fine to hard reset to @bazsi patch and force push it. (it should not create new PR) Something like this: https://asciinema.org/a/zRtDlGZjId1VheJeiMoqP4qr9 |
bf2efad
to
16978f8
Compare
ah ha, perfect, all set. |
Build SUCCESS |
This patch will add support for vhost & port in common & combined apache logs as discussed @ #2670. Here is that format -
Below is my use case that I'm using on a test server, using the
${.apache.vhost}
macro to create a directory then logging using combined format -apache:
syslog-ng: