From 5b7f20246a40f19f7ab5901da7024acb32474cb1 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Tue, 23 Nov 2021 12:28:42 +0100
Subject: [PATCH] Fix parsing of apache trace log levels (#28717) (#29091)

Apache levels may contain numbers as sublevels such as trace1.

(cherry picked from commit 78f3a3b0a4fd15d6583b105fb240f9b2985268be)

Co-authored-by: Jaime Soriano Pastor <jaime.soriano@elastic.co>
---
 CHANGELOG.next.asciidoc                       |  1 +
 .../module/apache/error/ingest/pipeline.yml   |  4 +++-
 .../module/apache/error/test/sublevel.log     |  2 ++
 .../error/test/sublevel.log-expected.json     | 21 +++++++++++++++++++
 4 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 filebeat/module/apache/error/test/sublevel.log
 create mode 100644 filebeat/module/apache/error/test/sublevel.log-expected.json

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index f2acad353a95..607dc37ea356 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -193,6 +193,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Relax time parsing and capture group and session type in Cisco ASA module {issue}24710[24710] {pull}28325[28325]
 - Correctly track bytes read when max_bytes is exceeded. {issue}28317[28317] {pull}28352[28352]
 - Fix in `aws-s3` input regarding provider discovery through endpoint {pull}28963[28963]
+- Fix parsing of apache log levels including numbers. {pull}28717[28717]
 - Upgrade azure-eventhub sdk reference, contains potential checkpoint fixes. {pull}28919[28919]
 - Revert usageDetails api version to 2019-01-01. {pull}28995[28995]
 - Fix `threatintel.misp` filters configuration. {issue}27970[27970]
diff --git a/filebeat/module/apache/error/ingest/pipeline.yml b/filebeat/module/apache/error/ingest/pipeline.yml
index 4b8495dd9c89..ae35a6fb3716 100644
--- a/filebeat/module/apache/error/ingest/pipeline.yml
+++ b/filebeat/module/apache/error/ingest/pipeline.yml
@@ -11,10 +11,12 @@ processors:
     patterns:
     - \[%{APACHE_TIME:apache.error.timestamp}\] \[%{LOGLEVEL:log.level}\]( \[client
       %{IPORHOST:source.address}(:%{POSINT:source.port})?\])? %{GREEDYDATA:message}
-    - \[%{APACHE_TIME:apache.error.timestamp}\] \[%{DATA:apache.error.module}:%{LOGLEVEL:log.level}\]
+    - \[%{APACHE_TIME:apache.error.timestamp}\] \[%{DATA:apache.error.module}:%{APACHE_LOGLEVEL:log.level}\]
       \[pid %{NUMBER:process.pid:long}(:tid %{NUMBER:process.thread.id:long})?\](
       \[client %{IPORHOST:source.address}(:%{POSINT:source.port})?\])? %{GREEDYDATA:message}
     pattern_definitions:
+      # Apache log level can have numeric sub-levels such as trace1.
+      APACHE_LOGLEVEL: '%{LOGLEVEL}[0-9]*'
       APACHE_TIME: '%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}'
     ignore_missing: true
 - grok:
diff --git a/filebeat/module/apache/error/test/sublevel.log b/filebeat/module/apache/error/test/sublevel.log
new file mode 100644
index 000000000000..e4ad2fbd87b9
--- /dev/null
+++ b/filebeat/module/apache/error/test/sublevel.log
@@ -0,0 +1,2 @@
+[Wed Oct 20 19:20:59.121211 2021] [rewrite:trace3] [pid 121591:tid 140413273032448] mod_rewrite.c(470): [client 10.121.192.8:38350] 10.121.192.8 - - [dev.elastic.co/sid#55a374e851c8][rid#7fb438083ac0/initial] applying pattern '^/import/?(.*)$' to uri '/'
+
diff --git a/filebeat/module/apache/error/test/sublevel.log-expected.json b/filebeat/module/apache/error/test/sublevel.log-expected.json
new file mode 100644
index 000000000000..26ad0e275386
--- /dev/null
+++ b/filebeat/module/apache/error/test/sublevel.log-expected.json
@@ -0,0 +1,21 @@
+[
+    {
+        "@timestamp": "2021-10-20T19:20:59.121-02:00",
+        "apache.error.module": "rewrite",
+        "event.category": "web",
+        "event.dataset": "apache.error",
+        "event.kind": "event",
+        "event.module": "apache",
+        "event.original": "[Wed Oct 20 19:20:59.121211 2021] [rewrite:trace3] [pid 121591:tid 140413273032448] mod_rewrite.c(470): [client 10.121.192.8:38350] 10.121.192.8 - - [dev.elastic.co/sid#55a374e851c8][rid#7fb438083ac0/initial] applying pattern '^/import/?(.*)$' to uri '/'",
+        "event.timezone": "-02:00",
+        "event.type": "info",
+        "fileset.name": "error",
+        "input.type": "log",
+        "log.level": "trace3",
+        "log.offset": 0,
+        "message": "mod_rewrite.c(470): [client 10.121.192.8:38350] 10.121.192.8 - - [dev.elastic.co/sid#55a374e851c8][rid#7fb438083ac0/initial] applying pattern '^/import/?(.*)$' to uri '/'",
+        "process.pid": 121591,
+        "process.thread.id": 140413273032448,
+        "service.type": "apache"
+    }
+]