Page 2 of 3
Re: apache log type missing from ubuntu 18.04
Posted: Fri Apr 17, 2020 1:43 pm
by ssax
Are you using rsyslog on 192.168.35.11 to send them? Is that system running ubuntu as well? Is it only this machine that has problem? Do others work? Please attach the /etc/rsyslog.conf and any other file in /etc/rsyslog.d from 192.168.35.11.
Re: apache log type missing from ubuntu 18.04
Posted: Fri Apr 17, 2020 2:22 pm
by mannerr
Yes, 192.168.35.11 is the problematic Ubuntu 18. I have an Ubuntu 16 in this network, thats works correctly, i attached it's screenshot before.
I reconfigured the 35.11 again with the automatic apache script, I attach the config files. Rsyslog will be in the next post, because 3 max...
port 5544 linux files, port 5545 apache files.
Re: apache log type missing from ubuntu 18.04
Posted: Fri Apr 17, 2020 2:23 pm
by mannerr
Re: apache log type missing from ubuntu 18.04
Posted: Fri Apr 17, 2020 2:41 pm
by mannerr
Re: apache log type missing from ubuntu 18.04
Posted: Fri Apr 17, 2020 3:07 pm
by cdienger
Let's enable some debug logging to see why it's throwing that parse failure tag:
Edit /etc/init.d/logstash and change line 64 from:
Code: Select all
DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS}"
to:
Code: Select all
DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS} --debug"
and restart the service with:
Code: Select all
systemctl daemon-reload
service logstash restart
Let this run just long enough to allow NLS to process some new Apache logs and then collect the /var/log/logstash/logstash.log file before reverting the config back and restarting the service.
Re: apache log type missing from ubuntu 18.04
Posted: Fri Apr 17, 2020 3:31 pm
by mannerr
Such lines appear:
Code: Select all
{:timestamp=>"2020-04-17T22:20:25.652000+0200", :message=>"output received", :event=>{"message"=>"<133>Apr 17 22:20:19 logoweb_app apache_access: 89.133.xx.xx - - [17/Apr/2020:22:20:09 +0200] \"GET /static/tempP
df/49499/97ren29.pdf HTTP/1.1\" 200 192001 \"http://www.example.hu/?tart=63\" \"Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.111 Mobile Safari/537.36\"\n", "@ver
sion"=>"1", "@timestamp"=>"2020-04-17T20:20:25.014Z", "type"=>"apachetest", "host"=>"192.168.35.11", "tags"=>["_grokparsefailure_sysloginput"], "priority"=>0, "severity"=>0, "facility"=>0, "facility_label"=>"ker
nel", "severity_label"=>"Emergency"}, :level=>:debug, :file=>"(eval)", :line=>"365", :method=>"output_func"}
Re: apache log type missing from ubuntu 18.04
Posted: Fri Apr 17, 2020 3:51 pm
by ssax
Does /var/log/syslog contain that <PRI> entry on the beginning of the message? Are you even seeing those apache_access ones in /var/log/syslog?
None of mine contain it, it has to be either rsyslog doing it or apache writing it like that. You said that <PRI> line was NOT in the apache logs, correct?
Re: apache log type missing from ubuntu 18.04
Posted: Fri Apr 17, 2020 4:08 pm
by mannerr
/var/log/syslog:
Code: Select all
Apr 17 22:20:09 logoweb_app apache_access: 89.133.xx.xx - - [17/Apr/2020:22:20:08 +0200] "GET /download/index.php?id=49499 HTTP/1.1" 302 3870 "http://www.example.hu/?tart=63" "Mozilla/5.0 (Linux; Android 9; ANE-L
X1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.111 Mobile Safari/537.36"
Pair of this in /var/log/apache2/access_ssl.log:
Code: Select all
89.133.xx.xx - - [17/Apr/2020:22:20:08 +0200] "GET /download/index.php?id=49499 HTTP/1.1" 302 3870 "http://www.example.hu/?tart=63" "Mozilla/5.0 (Linux; Android 9; ANE-LX1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/81.0.4044.111 Mobile Safari/537.36"
Re: apache log type missing from ubuntu 18.04
Posted: Fri Apr 17, 2020 4:29 pm
by cdienger
Can you PM me the entire logstash.log file?
Re: apache log type missing from ubuntu 18.04
Posted: Mon Apr 20, 2020 2:57 am
by mannerr
I sent it on friday.
Thanks