Add Filebeat apache access vhost #12778
Conversation
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
|
I think my PR has been forgotten? :) ( cc @jsoriano ) |
|
@wixaw oops, sorry 😬 Let me take a look. |
jsoriano
added
Team:Integrations
|
ok to test |
| @@ -4,6 +4,7 @@ | |||
| "grok": { | |||
| "field": "message", | |||
| "patterns":[ | |||
| "%{IPORHOST:http.vhost} %{IPORHOST:source.address} - %{DATA:user.name} \\[%{HTTPDATE:apache.access.time}\\] \"(?:%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}|-)?\" %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)( \"%{DATA:http.request.referrer}\")?( \"%{DATA:user_agent.original}\")?", | |||
There was a problem hiding this comment.
To follow ECS, I think that the vhost should go to the source.domain.
And I wonder if in this case we can consider that the source address is always going to be an IP, then we could directly store it in source.ip.
Do you know of any case where both fields are domains?
| "%{IPORHOST:http.vhost} %{IPORHOST:source.address} - %{DATA:user.name} \\[%{HTTPDATE:apache.access.time}\\] \"(?:%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}|-)?\" %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)( \"%{DATA:http.request.referrer}\")?( \"%{DATA:user_agent.original}\")?", | |
| "%{IPORHOST:source.domain} %{IPORHOST:source.ip} - %{DATA:user.name} \\[%{HTTPDATE:apache.access.time}\\] \"(?:%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}|-)?\" %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)( \"%{DATA:http.request.referrer}\")?( \"%{DATA:user_agent.original}\")?", |
There was a problem hiding this comment.
the second field is never a domain
|
Hummm |
Fix make assets error in metricbeat (elastic#13266)
update master
|
Thanks, I wanted to use "make start" but i have this error :/ we can see in "Dockerfile-filebeat" that it is not up to date |
Co-Authored-By: Jaime Soriano Pastor <jaime.soriano@elastic.co>
Co-Authored-By: Jaime Soriano Pastor <jaime.soriano@elastic.co>
Co-Authored-By: Jaime Soriano Pastor <jaime.soriano@elastic.co>
Yeah sorry, I agree that this could be more intuitive 😬
Please don't use a real cluster for this, it can remove pipelines and other things, a local elasticsearch is enough, you can start it as you would start any other local elasticsearch. If you want to use the same version as used in CI, an option to start it is using docker is to run this from the filebeat directory: And then use |
|
A bit late to the party, but have you guys noticed that the name you are using for the new variable (the virtual host) is not really intuitive? |
|
@Verdoso thanks, actually this is a very valuable comment. Regarding storing it as a hostname or as a domain, there have been many discussions about that in ECS, and at the end we use domain for most hostnames, except when identifying a host, that then But it is true that using After some internal discussions we think that we should use @wixaw would you like to make the change from |
|
@jsoriano, thanks to you. If domain is used all over the place to mean hostnames, then at least it is consistent. destination.domain sounds fair enough. |
|
Hello @jsoriano Exemple : |
|
I do not understand this, I do not see any suggestion of modification |
Oh sorry 🤦♂️ I forgot to mention that you also need a test binary to execute. You can build it with My |
|
Failures in CI are not related, merging this, thanks! |
|
yeah !!! thanks ! See you soon 😄 |
It is common to modify the default log format in nginx to include the http host used by the client to make the logged request. This is similar to what we already did for Apache in #12778. It also fixes an issue found on source address parsing when source addresses are not IPs. For that, the pipeline works with addresses as strings instead of IPs, and it only tries to convert to IP to finally store the it in `source.ip` if it parses as an IP. Co-authored-by: poma <Semenov.Roman@mail.ru>
It is common to modify the default log format in nginx to include the http host used by the client to make the logged request. This is similar to what we already did for Apache in elastic#12778. It also fixes an issue found on source address parsing when source addresses are not IPs. For that, the pipeline works with addresses as strings instead of IPs, and it only tries to convert to IP to finally store the it in `source.ip` if it parses as an IP. Co-authored-by: poma <Semenov.Roman@mail.ru> (cherry picked from commit 1967bc9)
…ebeat module (#14654) It is common to modify the default log format in nginx to include the http host used by the client to make the logged request. This is similar to what we already did for Apache in #12778. It also fixes an issue found on source address parsing when source addresses are not IPs. For that, the pipeline works with addresses as strings instead of IPs, and it only tries to convert to IP to finally store the it in `source.ip` if it parses as an IP. (cherry picked from commit 1967bc9) Co-authored-by: poma <Semenov.Roman@mail.ru>
Hello
It's a PR for add vhost name in document :)
It's linked with this issue : #4859
++