-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logparser common log format error (nginx/apache) #1810
Comments
@tympanix thanks for finding the bug! I was getting nuts not understanding why some requests weren't appearing on Influx. Taking that knowledge, I updated my logparser to "ignore" processing both
|
Great solution. I've done something similar by adding digits (0-9) and spaces to the NGUSER pattern to overcome this issue. We have a potential issue where both the ident and auth contains multiple words though. You wouldn't be able to tell them apart. I've never seen this in practice though. |
@tympanix are http ident and auth allowed to have spaces in them? I'm not sure there's anything we can do if so. I will definitely fix the case of numbers in the ident & auth for release 1.1. |
I have tested this on my own nginx server, and seemingly the http basic module does not complain when using spaces. The following is logged when using "my username here" as the username:
I would point out that this is an edge case. Also the password (which I assume to be the first dash) doesn't show regardless of the input. If that is always the case then we should be able to parse the log unambiguously. I don't know if this is related to apache as well. Thank you for the commit 👍 |
Bug report
Using the logparser plugin to parse nginx access log files does not parse http basic auth requests when the username contains a digit or spaces.
Applies to both the COMMON_LOG_FORMAT and COMBINED_LOG_FORMAT grok pattern. Issue may be relevant for apache logs as well.
Relevant telegraf.conf:
System info:
Steps to reproduce:
Expected behavior:
Telegraf matches the log file using either the COMMON_LOG_FORMAT or the COMBINED_LOG_FORMAT and passes the log onto the outputs.
Actual behavior:
When the username contains digits the log is ignored. When containing spaces words are parsed as other attributes (e.g. client_ip will be parsed as one of the words).
Additional info:
Here are some example logs that causes the error:
Using numbers in the http basic auth username:
Using spaces in the http basic auth username:
The text was updated successfully, but these errors were encountered: