<div dir="ltr"><div><div><div>Hi all,<br><br></div>reading the docs I got into this config:<br><br>source s_apache_access_log { <br> file( <br> "/var/logs/apache2/access_log" <br> follow-freq(1) <br> flags(no-parse) <br> ); <br>}; <br> <br>filter f_apache_access_log { <br> match( <br> '(.*) (.*) - - \[[0-9]{2}\/[A-Z][a-z]{2}\/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2} -0300\] \"(.*) (.*) (.*)\" (.*) (.*) \"-\" (.*)' <br> type("pcre") <br> flags("store-matches") <br> ); <br>}; <br> <br>rewrite r_apache_access_log { <br> set("$1", value("DOMAIN") condition(filter(f_apache_access_log))); <br> set("$2", value("IP") condition(filter(f_apache_access_log))); <br> set("$3", value("HTTP_METHOD") condition(filter(f_apache_access_log))); <br> set("$4", value("URI") condition(filter(f_apache_access_log))); <br> set("$6", value("HTTP_STATUS") condition(filter(f_apache_access_log))); <br> set("$7", value("SIZE") condition(filter(f_apache_access_log))); <br> set("$8", value("USER_AGENT") condition(filter(f_apache_access_log))); <br>}; <br> <br>destination d_apache_access_log { <br> mongodb( <br> # <a href="https://docs.mongodb.com/manual/reference/connection-string/">https://docs.mongodb.com/manual/reference/connection-string/</a> <br> persist-name("apache-access-logs") <br> uri("mongodb://$server_and_port/syslog?wtimeoutMS=60000&socketTimeoutMS=60000&connectTimeoutMS=60000") <br> collection("logs") <br> retries(3600) <br> value-pairs( <br> pair("HOST", "${HOST}") <br> pair("SERVICE", "APACHE") <br> pair("DATE", "${DAY}/${MONTH}/${YEAR}") <br> pair("TIME", "${HOUR}:${MIN}") <br> pair("MESSAGE", "${MESSAGE}") <br> pair("DOMAIN", "${DOMAIN}") <br> pair("HTTP_STATUS", "${HTTP_STATUS}") <br> pair("HTTP_METHOD", "${HTTP_METHOD}") <br> pair("USER_AGENT", "${USER_AGENT}") <br> pair("SIZE", "${SIZE}") <br> pair("URI", "${URI}") <br> pair("IP", "${IP}") <br> ) <br> ); <br>}; <br> <br>log { <br> source(s_apache_access_log); <br> filter(f_apache_access_log); <br> rewrite(r_apache_access_log); <br> destination(d_apache_access_log); <br>}; <br><br></div>but I think something is not ok, I'm not sure this is the right way to do it.<br><br></div>This log produces an strange behavior: <br><br><a href="http://www.cifa.li">www.cifa.li</a> 127.0.0.1 - - [11/Jul/2017:09:18:56 -0300] "GET / HTTP/1.1" 200 18652 "<a href="http://cifa.li/">http://cifa.li/</a>" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"<br clear="all"><div><div><div><div><div><div><div><br></div><div>but this one doesn't<br><br><a href="http://cifa.li">cifa.li</a> 127.0.0.1 - - [11/Jul/2017:09:18:56 -0300] "GET / HTTP/1.1"
200 18652 "<a href="http://cifa.li/">http://cifa.li/</a>" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:54.0) Gecko/20100101 Firefox/54.0"</div><div><br></div><div>The behavior is (only for subdomains):<br><br></div><div>DOMAIN: ': <a href="http://www.cifa.li">www.cifa.li</a>' <br><br></div><div>corret one<br><br></div><div>DOMAIN: '<a href="http://www.cifa.li">www.cifa.li</a>'<br><br></div><div>The subdomain seems like it's adding stuff that I didn't (or want) to add.<br><br><br></div><div>Am I missing something?<br><br></div><div>Thanks in advance.<br></div><div><br></div><div><br>-- <br><div class="gmail_signature">[ ]'s<br><br>Filipe Cifali Stangler<br></div>
</div></div></div></div></div></div></div></div>