apache log type missing from ubuntu 18.04

[ssax]

Are you using rsyslog on 192.168.35.11 to send them? Is that system running ubuntu as well? Is it only this machine that has problem? Do others work? Please attach the /etc/rsyslog.conf and any other file in /etc/rsyslog.d from 192.168.35.11.

[mannerr]

Yes, 192.168.35.11 is the problematic Ubuntu 18. I have an Ubuntu 16 in this network, thats works correctly, i attached it's screenshot before.
I reconfigured the 35.11 again with the automatic apache script, I attach the config files. Rsyslog will be in the next post, because 3 max...
port 5544 linux files, port 5545 apache files.

[mannerr]

Inputs:

rsyslog.conf

[mannerr]

Events now:

events3.png

[cdienger]

Let's enable some debug logging to see why it's throwing that parse failure tag:

Edit /etc/init.d/logstash and change line 64 from:

Code: Select all

DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS}"

to:

Code: Select all

DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS} --debug"

and restart the service with:

Code: Select all

systemctl daemon-reload
service logstash restart

Let this run just long enough to allow NLS to process some new Apache logs and then collect the /var/log/logstash/logstash.log file before reverting the config back and restarting the service.

[mannerr]

Such lines appear:

Code: Select all

{:timestamp=>"2020-04-17T22:20:25.652000+0200", :message=>"output received", :event=>{"message"=>"<133>Apr 17 22:20:19 logoweb_app apache_access: 89.133.xx.xx - - [17/Apr/2020:22:20:09 +0200] \"GET /static/tempP
df/49499/97ren29.pdf HTTP/1.1\" 200 192001 \"http://www.example.hu/?tart=63\" \"Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.111 Mobile Safari/537.36\"\n", "@ver
sion"=>"1", "@timestamp"=>"2020-04-17T20:20:25.014Z", "type"=>"apachetest", "host"=>"192.168.35.11", "tags"=>["_grokparsefailure_sysloginput"], "priority"=>0, "severity"=>0, "facility"=>0, "facility_label"=>"ker
nel", "severity_label"=>"Emergency"}, :level=>:debug, :file=>"(eval)", :line=>"365", :method=>"output_func"}

[ssax]

Does /var/log/syslog contain that <PRI> entry on the beginning of the message? Are you even seeing those apache_access ones in /var/log/syslog?

None of mine contain it, it has to be either rsyslog doing it or apache writing it like that. You said that <PRI> line was NOT in the apache logs, correct?

[mannerr]

/var/log/syslog:

Code: Select all

Apr 17 22:20:09 logoweb_app apache_access: 89.133.xx.xx - - [17/Apr/2020:22:20:08 +0200] "GET /download/index.php?id=49499 HTTP/1.1" 302 3870 "http://www.example.hu/?tart=63" "Mozilla/5.0 (Linux; Android 9; ANE-L
X1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.111 Mobile Safari/537.36"

Pair of this in /var/log/apache2/access_ssl.log:

Code: Select all

89.133.xx.xx - - [17/Apr/2020:22:20:08 +0200] "GET /download/index.php?id=49499 HTTP/1.1" 302 3870 "http://www.example.hu/?tart=63" "Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/81.0.4044.111 Mobile Safari/537.36"

[cdienger]

Can you PM me the entire logstash.log file?

[mannerr]

I sent it on friday.
Thanks