Here you can see some log error entries:
[Fri Aug 10 05:21:26.511633 2018] [core:error] [pid 58722] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /…/…/…/…/…/…/…/ HTTP/1.1
[Fri Aug 10 05:21:29.472006 2018] [core:error] [pid 53626] [client xx.xx.xxx.xxx:xxxxx] AH00126: Invalid URI in request GET @www.q5u4a3l2y1s.com HTTP/1.0
[Fri Aug 10 05:21:29.505785 2018] [core:error] [pid 58988] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET @www.q5u4a3l2y1s.com HTTP/1.0
[Fri Aug 10 05:21:29.665022 2018] [core:error] [pid 58722] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET qualys:@www.q5u4a3l2y1s.com HTTP/1.0
[Fri Aug 10 05:21:29.699173 2018] [core:error] [pid 53626] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET qualys:@www.q5u4a3l2y1s.com HTTP/1.0
[Fri Aug 10 05:21:39.767464 2018] [core:error] [pid 58837] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /…/…/…/…/…/…/…/…/…/ HTTP/1.1
[Fri Aug 10 05:21:59.131454 2018] [core:error] [pid 58152] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /%22%3e%3cscript%3ealert(document.domain)%3c/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Fri Aug 10 05:21:59.651522 2018] [core:error] [pid 58002] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /admin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Fri Aug 10 05:22:00.327068 2018] [core:error] [pid 57471] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /install/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Fri Aug 10 05:23:13.339605 2018] [core:error] [pid 58775] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
I’ve used Grok Constructor to test the grok pattern and the results are OK but when I am trying to use this Grok Pattern as Graylog Extractor I always get the same error: “Attention
We were not able to run the grok extraction. Please check your parameters.” I’ve checked on graylog nodes logs but nothing else appeared."
I’ve also checked that all the patterns that are used on the extractor are under System - Grok Patterns.
Anyone has used this Grok Pattern and was able to make it work?
I see you use the pattern HTTPDERROR_DATE. That does not appear to be a default pattern loaded in Graylog. Did you make a custom pattern? If so, can you provide that pattern?
I’ve tested the grok_pattern with some apache error log entries and works perfectly. I’ve also import these grok patterns to Graylog but always I try to use them I’ve got an error: “Attention
We were not able to run the grok extraction. Please check your parameters.”
Ye, I’ve tried escaping the brackets, I’ve also tried escaping the escape characters (double \) but it does not work either.
I’ve tried even to replace [ ] with ? characters in the grok pattern, but it does not work
Okay, I was having some success with escaping the brackets when I was testing but had to get back to work. I will try to look at it again later. I highly recommend testing with https://grokdebug.herokuapp.com/ . Make sure you add your custom pattern (the HTTPDERROR_DATE). I’ll see what I can do later if you haven’t figured it out yet.
The problem is that I don’t know which is the problem with the expression. I’ve tried to modify it and customized it, but I always get the same result: when I tested on GrokDebug or GrokConstructor works, but when I added to Graylog as a new Grok Pattern it doesn’t work, showing the message: "“Attention: We were not able to run the grok extraction. Please check your parameters.” but no other information, neither on log files.
The weird thing is that I used also Grok Patterns to parse Apache access logs (with very similar Grok expressions that the error one) and works perfectlly I don’t understand why thesee other Grok Patterns are not working.
