Grok pattern for apache2 error log

I have been using graylog for a little while now and have apache2 access and error logs feeding into graylog ok. The access log is being formatted correctly using the COMBINEDAPACHELOG grok pattern however i cannot get the error log to format correctly. I have found a few grok patterns on this forum and the internet but none of them seem to work (i have very limited knowledge of grok and regex but have been learning…

Here is a sample error message coming into graylog:
[Mon Jun 21 15:37:42.947020 2021] [php7:warn] [pid 32118] [client] PHP Warning: Creating default object from empty value in /var/www/ on line 117

I found two grok patterns online i have added but when i test the APACHE_ERROR_LOG pattern against the sample message it doesnt work (i just get an error asking to check the parameters):

[%{APACHE_ERROR_TIME:timestamp}] [%{LOGLEVEL:loglevel}] (?:[client %{IPORHOST:clientip}] ){0,1}%{GREEDYDATA:errormsg}

Any help would be much appreciated, i would have thought there would have been prebuilt grok patterns or pipelines for the apache error log but cannot find anything online that works.

You’ve used incomplete grok, because it doesn’t contain all informations like port and pid. Your grok need to include all text in source message.

Try this one:
\[%{APACHE_TIME:timestamp}\] \[%{DATA:apache_error_module}:%{LOGLEVEL:log_level}\] \[pid %{NUMBER:process_pid:long}(:tid %{NUMBER:process_thread_id:long})?\] (\[client %{IPORHOST:source_address}(:%{INT:source_port})?\])? %{GREEDYDATA:message}

Best way is to debug using online editors, or graylog UI (System - Grok):

1 Like

Awesome thank you so much! I did try the debugger but still learning regex and grok patterns. I will be able to study it now to help break each part down for future patterns.

Thanks :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.