Skip to content

Commit 6db00e7

Browse files
smokrissmokris
committed
Improve HTTPD24_ERRORLOG parsing of proxy errors
1 parent f01f3f3 commit 6db00e7

File tree

2 files changed

+19
-1
lines changed

2 files changed

+19
-1
lines changed

patterns/ecs-v1/httpd

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ HTTPD_COMBINEDLOG %{HTTPD_COMMONLOG} "(?:-|%{DATA:[http][request][referrer]})" "
88

99
# Error logs
1010
HTTPD20_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:[log][level]}\] (?:\[client %{IPORHOST:[source][address]}\] )?%{GREEDYDATA:message}
11-
HTTPD24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[(?:%{WORD:[apache][error][module]})?:%{LOGLEVEL:[log][level]}\] \[pid %{POSINT:[process][pid]:int}(:tid %{INT:[process][thread][id]:int})?\](?: \(%{POSINT:[apache][error][proxy][error][code]?}\)%{DATA:[apache][error][proxy][error][message]}:)?(?: \[client %{IPORHOST:[source][address]}(?::%{POSINT:[source][port]:int})?\])?(?: %{DATA:[error][code]}:)? %{GREEDYDATA:message}
11+
HTTPD24_ERRORLOG \[%{HTTPDERROR_DATE:timestamp}\] \[(?:%{WORD:[apache][error][module]})?:%{LOGLEVEL:[log][level]}\] \[pid %{POSINT:[process][pid]:int}(:tid %{INT:[process][thread][id]:int})?\](?: \(%{POSINT:[apache][error][proxy][error][code]}\)%{DATA:[apache][error][proxy][error][message]}:)?(?: \[client %{IPORHOST:[source][address]}(?::%{NONNEGINT:[source][port]:int})?\])?(?: %{DATA:[error][code]}:)? %{GREEDYDATA:message}
1212
# :long - %{INT:[process][thread][id]:int}
1313
HTTPD_ERRORLOG %{HTTPD20_ERRORLOG}|%{HTTPD24_ERRORLOG}
1414

spec/patterns/httpd_spec.rb

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -279,6 +279,24 @@
279279
end
280280
end
281281

282+
context "a httpd 2.4 proxy message" do
283+
let(:message) do
284+
"[Fri Sep 13 20:16:16.614584 2024] [proxy_fcgi:error] [pid 74738:tid 74765] (70008)Partial results are valid but processing is incomplete: [client 203.0.113.1:0] AH01075: Error dispatching request to : (reading input brigade)"
285+
end
286+
287+
it "matches" do
288+
expect(grok).to include('timestamp' => 'Fri Sep 13 20:16:16.614584 2024')
289+
if ecs_compatibility?
290+
expect(grok).to include("apache" => {"error" => {"module" => "proxy_fcgi", "proxy" => {"error" => {"code" => "70008", "message" => "Partial results are valid but processing is incomplete"}}}})
291+
expect(grok).to include("log" => {"level" => "error"})
292+
expect(grok).to include("process" => {"pid" => 74738, "thread" => {"id" => 74765}})
293+
expect(grok).to include("source" => {"address" => "203.0.113.1", "port" => 0})
294+
expect(grok).to include("error" => {"code" => "AH01075"})
295+
expect(grok).to include("message" => [message, "Error dispatching request to : (reading input brigade)"])
296+
end
297+
end
298+
end
299+
282300
context 'a debug message' do
283301
let(:message) do
284302
'[Fri Feb 01 22:03:08.319124 2019] [authz_core:debug] [pid 9:tid 140597881775872] mod_authz_core.c(820): [client 172.17.0.1:50752] AH01626: authorization result of <RequireAny>: granted'

0 commit comments

Comments
 (0)