Problems with Grok Pattern for Apache 2.4 Error logs


#1

Hello,

this is my first message but I’ve used a lot of all the resources of the Community, so thank you, everyone.

I am trying to parse Error Logs from Apache 2.4 using a Grok Pattern but I cannot do it. I am using this Grok Pattern:

[%{HTTPDERROR_DATE:timestamp}] [%{WORD:module}:%{LOGLEVEL:loglevel}]
[pid %{POSINT:pid}(:tid %{NUMBER:tid})?](
(%{POSINT:proxy_errorcode})%{DATA:proxy_message}:)?( [client
%{IPORHOST:clientip}:%{POSINT:clientport}])?( %{DATA:errorcode}:)?
%{GREEDYDATA:message}

Here you can see some log error entries:
[Fri Aug 10 05:21:26.511633 2018] [core:error] [pid 58722] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /…/…/…/…/…/…/…/ HTTP/1.1
[Fri Aug 10 05:21:29.472006 2018] [core:error] [pid 53626] [client xx.xx.xxx.xxx:xxxxx] AH00126: Invalid URI in request GET @www.q5u4a3l2y1s.com HTTP/1.0
[Fri Aug 10 05:21:29.505785 2018] [core:error] [pid 58988] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET @www.q5u4a3l2y1s.com HTTP/1.0
[Fri Aug 10 05:21:29.665022 2018] [core:error] [pid 58722] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET qualys:@www.q5u4a3l2y1s.com HTTP/1.0
[Fri Aug 10 05:21:29.699173 2018] [core:error] [pid 53626] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET qualys:@www.q5u4a3l2y1s.com HTTP/1.0
[Fri Aug 10 05:21:39.767464 2018] [core:error] [pid 58837] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /…/…/…/…/…/…/…/…/…/ HTTP/1.1
[Fri Aug 10 05:21:59.131454 2018] [core:error] [pid 58152] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /%22%3e%3cscript%3ealert(document.domain)%3c/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Fri Aug 10 05:21:59.651522 2018] [core:error] [pid 58002] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /admin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Fri Aug 10 05:22:00.327068 2018] [core:error] [pid 57471] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /install/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
[Fri Aug 10 05:23:13.339605 2018] [core:error] [pid 58775] [client xx.xx.xx.xx:xxxxx] AH00126: Invalid URI in request GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1

I’ve used Grok Constructor to test the grok pattern and the results are OK but when I am trying to use this Grok Pattern as Graylog Extractor I always get the same error: “Attention
We were not able to run the grok extraction. Please check your parameters.” I’ve checked on graylog nodes logs but nothing else appeared."

I’ve also checked that all the patterns that are used on the extractor are under System - Grok Patterns.

Anyone has used this Grok Pattern and was able to make it work?

Thank you very much!

Alex.