I'm trying to configure a logstash filter for an apache log errors filter definition. It is basically the 'combined' LogFormat with some additional field, here is the apache log format definition:
[11446] [Thu Jan 30 07:50:49 2020] [debug]: RT::Date used
Time::ParseDate to make '2020-01-31T07:20:46Z' 1580446800
(/app/rt4/sbin/../lib/RT/Date.pm:274)
or it could be of this format:
[Wed Jun 26 22:13:22 2013] [error] [client 10.10.10.100] PHP Fatal
error: Uncaught exception '\Foo\Bar'
I tried the below solution:
APACHE_ERROR_TIME %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
APACHE_ERROR_LOG [%{APACHE_ERROR_TIME:timestamp}]
[%{LOGLEVEL:loglevel}] (?:[client %{IPORHOST:clientip}]
){0,1}%{GREEDYDATA:errormsg}
but it gives a grok_match_failure.
Please help me with a generic working pattern for the above string (meaning it should not matter even if one of the part of string is not there)
Updated Question:
So, the above worked with https://stackoverflow.com/a/59986583/4127230 and I have again got stuck with another system log string.
Can you also suggest a generic grok pattern same for the below strings:
Feb 2 18:21:14 localhost prometheus_postgres_exporter: time=\"2020-02-02T18:21:14+04:00\" level=info msg=\"Error while closing non-pinging DB connection: \" source=\"postgres_exporter.go:1001\"
and
Feb 2 05:56:10 localhost logstash: [2020-02-02T05:56:10,934][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
Using the provided APACHE_ERROR_TIME, I got a match with this pattern:
\[%{APACHE_ERROR_TIME:timestamp}\] \[%{LOGLEVEL:loglevel}\](?: \[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:errormsg}
In addition to escaping the square brackets, there was some misplaced spaces that prevented the match.
For:
[11446] [Thu Jan 30 07:50:49 2020] [debug]: RT::Date used Time::ParseDate to make '2020-01-31T07:20:46Z' 1580446800 (/app/rt4/sbin/../lib/RT/Date.pm:274)
Result:
timestamp Thu Jan 30 07:50:49 2020
loglevel debug
clientip
errormsg : RT::Date used Time::ParseDate to make '2020-01-31T07:20:46Z' 1580446800 (/app/rt4/sbin/../lib/RT/Date.pm:274)
before match: [11446]
For:
[Wed Jun 26 22:13:22 2013] [error] [client 10.10.10.100] PHP Fatal error: Uncaught exception '\Foo\Bar'
Result:
timestamp Wed Jun 26 22:13:22 2013
loglevel error
clientip 10.10.10.100
errormsg PHP Fatal error: Uncaught exception '\Foo\Bar'
Related
In apache log file I am getting long messages such as:
[Wed Feb 21 19:32:18.916451 2018] [:error] [pid 23919] [client 10.0.2.2:50156] Error Message...
How I can get custom log message like:
Format:[Time] [Message]
[19:32:18] Error Message....
Put
ErrorLogFormat "[%{c}t] %M"
in apache config file (supposedly, /etc/apache2/apache2.conf)
Other formatting options you can find in https://httpd.apache.org/docs/2.4/mod/core.html#errorlogformat
I have a wierd 504 error occuring in Apache + mod_wsgi when I post a specific SVG string. The backend application is Python Flask, but it does not seem to get to the application at all.
Here is one request that returns a 504 error:
curl 'https://some.domain.com/api/export/png' --data 'svg=%22%3E%28style'
And here is another one that returns with 200:
curl 'https://some.domain.com/api/export/png' --data 'svg=%22%3E%28styl'
The difrrerence is that I only removed one character from the POST data
The SVG data is cut down to the smallest one that could produce an error. The original SVG string is much larger.
The error that appears in the apache error log is:
[Tue Jun 09 14:27:26 2015] [error] [client X.X.X.X] (104)Connection reset by peer: mod_wsgi (pid=19254): Unable to get bucket brigade for request., referer: https://some.domain.com/
[Tue Jun 09 14:27:26 2015] [error] [client X.X.X.X] mod_wsgi (pid=19252): Exception occurred processing WSGI script '/var/www/ade/src/interface.wsgi'.
[Tue Jun 09 14:27:26 2015] [error] [client X.X.X.X] IOError: failed to write data
It is interestig that the the error appears in the error log imidietly after I make the request, before the post data upload finishes.
Here are the version numbers we have:
Ubunut 12.04
Apache/2.2.22 (Ubuntu)
mod_ssl/2.2.22
OpenSSL/1.0.1
mod_wsgi/3.3
Python/2.7.3
Any clues what might be causing this?
UPDATE: We updated mod_wsgi to 4.4.12 and the error message changed in the error.log
[Wed Jun 10 05:48:35 2015] [error] [client X.X.X.X] mod_wsgi (pid=5019): Request data read error when proxying data to daemon process: Connection reset by peer., referer: http://devade.annalect.com/
This might be related to AWS load balancers in front of the web server. Will try to investigate on that end.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ts-elb-error-message.html#ts-elb-errorcodes-http504
Since a few days, my Apache 2 error log is showing a lot messages like the following (IP addresses and URIs redacted):
[Thu Dec 12 13:46:42 2013] [error] [client 111.222.333.444] 0
[Thu Dec 12 13:52:27 2013] [error] [client 222.333.444.555] 0, referer: http://www.mydomain.com/
[Thu Dec 12 13:52:27 2013] [error] [client 222.333.444.555] 0, referer: http://www.mydomain.com/
[Thu Dec 12 13:53:54 2013] [error] [client 333.444.555.666] 0, referer: http://www.mydomain.com/subdirectory/
[Thu Dec 12 13:46:42 2013] [error] [client 444.555.666.777] 0
[Thu Dec 12 13:54:07 2013] [error] [client aaaa:1111:2222:ffff::] 0, referer: http://www.otherdomain.com/subdirectory/
What is this 0? There are no other messages shown (besides sometimes some other, normal messages, but very rarely).
The IP addresses are both IPv4 and IPv6. I checked the access log for the same date/time and IP addresses. Most of the times, there was an access for the exact same moment from this IP for different URIs on my webpage. But sometimes, there wasn't an access according to the access log.
It's a shared hosting environment, so I can't access the Apache settings (but I have ssh access to my home directory if this helps). I already googled and searched the Apache documentation, but didn't found anything (it's hard to search for "0"...)
/edit: I also asked the webhoster, they said they don't know what it's causing. I cross checked it with the Apache access log, these are requests to PHP scripts (mostly Joomla), but also requests to images as well as JS and CSS files. So I assume it's not a PHP script which is causing this.
If your error_log directive is unset errors will be written in your Apache log file for current VirtualHost.
So double check your PHP configuration (php.ini) or write a simple page with phpinfo()
If this is true, you should look inside your code (may be even into index.php).
Pay attention to this: usually there are two separate php.ini files for Apache /etc/php5/apache2/php.ini and CLI configuration /etc/php5/cli/php.ini.
Please also consider that, if you want change your PHP configuration, you can use ini_set function.
ini_set('error_log', '/var/log/php/error_new.log');
Remember: the destination directory must exist and your web server (or php engine) must have all permission to write into.
error_log format is not customizable, I suspect that it can be set to some higher level: debug or trace, where it can produce additional information.
Also please take into account, that error_log contains debug info from CGI/PHP/Perl scripts, so that 'zero' can be produced by some script that executed through apache as its module.
Here is my program
import subprocess
print "Content-type:text/html\r\n\r\n"
print "File starting to execute"
print "<br>"
proc = subprocess.Popen(["sudo", "python", "test3.py"], stdout=subprocess.PIPE)
output = proc.stdout.read()
print "output is %s" %output
print "<br>"
print "File Executed Awesomely"
So when I run it from the command line it works great, like follows->
[root#localhost html]# python test2.py
Content-type:text/html
File starting to execute
<br>
output is .
Sent 1 packets.
<br>
File Executed Awesomely
[root#localhost html]#
that is perfect the ". Sent 1 packets." is what I want. But when I run it from the webpage, the webpage just has
File starting to execute
output is
File Executed Awesomely
so I originally thought this was because I was doing something wrong grabbing the output but I listened on the port with wireshark (my other program it calls send a packet) and it looks like no packets shows up via the webpage call, but it does when I call it on the command line (the same way). Looking at my apache error_log->
[Wed Jan 18 18:15:11 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jan 18 18:15:11 2012] [notice] Digest: generating secret for digest authentication ...
[Wed Jan 18 18:15:11 2012] [notice] Digest: done
[Wed Jan 18 18:15:11 2012] [warn] ./mod_dnssd.c: No services found to register
[Wed Jan 18 18:15:11 2012] [notice] Apache/2.2.17 (Unix) DAV/2 configured -- resuming normal operations
any suggestions on how I can fix it so my apache cgi-bin script runs the same way as the command line?
EDIT: looking at the log after a few calls it does this repeatedly
[Wed Jan 18 18:22:37 2012] [error] [client 10.117.153.89] :
[Wed Jan 18 18:22:37 2012] [error] [client 10.117.153.89] sorry, you must have a tty to run sudo
The message sorry, you must have a tty to run sudo is the key. First of all, letting your apache run sudo is dangerous to say the least, but if you really really want to do it... there's a way, edit /etc/sudoers (visudo) and locate the Defaults requiretty part (man sudoers).
NB: Never let apache run anything using sudo, specify exactly what it needs to do and nothing more!
BTW: It may still not work if you have SELinux enabled or other LSM module.
I have just looked at my error_logs for a particular site of mine which I haven't done in a while and in Apache's error_log i find hundreds of lines that have this same format:
[Mon Mar 16 19:20:03 2009] [error] [client xx.81.239.xxx] [Mon Mar 16 19:20:03 2009] [info] Executing "/home/get/public_html/fileReader.php" as UID 32596, GID 32599, referer: http://www.mysite.com/index.php
[Mon Mar 16 19:20:03 2009] [error] [client xx.3.27.xx] [Mon Mar 16 19:20:03 2009] [info] Executing "/home/get/public_html/fileReader.php" as UID 32596, GID 32599, referer: http://www.mysite.com/index.php
[Mon Mar 16 19:20:03 2009] [error] [client xx.202.191.xx] [Mon Mar 16 19:20:02 2009] [info] Executing "/home/get/public_html/fileReader.php" as UID 32596, GID 32599, referer: http://www.mysite.com/index.php
I have Googled and could not find anything on this. What does it mean? Is it even an error? If not, way record it?
Thanks all
these log entries originate from suPHP. they are info messages, not errors (the code says logger.logInfo(...), not logger.logError(...)). you can suppress them by setting suPHP's loglevel configuration option to "warn", "error", or "none".
These entries might be some custom error log format.