graylog-contentpack-nginx icon indicating copy to clipboard operation
graylog-contentpack-nginx copied to clipboard

Published 20 hours ago verified publisher icon graylog-labs

http_version sometimes extracted from wrong field

Open fadenb opened this issue 9 years ago • 0 comments
trafficstars

Hey :)

I just found a weird http_version being extracted: v0.18.2 I traced it back to the following message (some parts redacted)

YYYYYYYYYYYY nginx: 151.ZZZ.48.28 - - [11/May/2016:19:07:39 +0000] "GET / HTTP/1.1" 301 178 "http://XXXXXXXXX.de/" "Pcore-HTTP/v0.18.2" "-" <msec=1462993659.671|connection=1121932|connection_requests=1|millis=0.000>

To me it looks like the current http_version extractor rule nginx:.+HTTP/(\S+)" is not specific enough and matches the last occurrence of HTTP/ followed by a string. In this case parts of the user agent matched and were extracted.

fadenb avatar May 12 '16 11:05 fadenb