[Apache Tomcat]: 400 in logs causes dissect to fail. #11514
Labels
Integration:apache_tomcat
Apache Tomcat
needs:triage
Team:Obs-InfraObs
Label for the Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations]
Integration Name
Apache Tomcat [apache_tomcat]
Dataset Name
No response
Integration Version
1.5.1
Agent Version
8.13.4
Agent Output Type
elasticsearch
Elasticsearch Version
8.15.1
OS Version and Architecture
Windows Server 2022
Software/API Version
9.0.86
Error Message
Processor dissect with tag fail-dissect_event_original in pipeline _simulate_pipeline failed with message: Unable to find match for dissect pattern: %{_tmp.sourceorusername} %{apache_tomcat.access.http.ident} %{apache_tomcat.access.http.useragent} [%{_tmp.timestamp}] "%{http.request.method} %{url.original} HTTP/%{http.version}" %{_tmp.dissectgrok} against source: ###.###.###.### - - [24/Oct/2024:14:18:49 +1100] "-" 400 - ###.###.###.### + 0.000 "-" "-" X-Forwarded-For="-"",
"Processor grok with tag fail-grok_parse_log_sourceoruser in pipeline _simulate_pipeline failed with message: field [_tmp] not present as part of path [_tmp.sourceorusername]",
"Processor grok with tag fail-grok_parse_log_dissectgrok in pipeline _simulate_pipeline failed with message: field [_tmp] not present as part of path [_tmp.dissectgrok]
Event Original
81.2.69.144 - - [24/Oct/2024:14:18:49 +1100] "-" 400 - 81.2.69.145 + 0.000 "-" "-" X-Forwarded-For="-"
What did you do?
Configured my tomcats logs to output as below per the documentation.
Configure the integration and push the policy to the agent.
What did you see?
Log entry:
Event error.message:
What did you expect to see?
Anything else?
I've fixed this issue here in a fork Personal Repo
The dissect needs to be split out to prevent this error:
Current:
Recommeneded:
The text was updated successfully, but these errors were encountered: