search

Notausstieg0309 / checkmk-plugin-access-logs

A check plugin for CheckMK monitoring solution to check HTTP response codes via analyzing access logs (Apache, Tomcat, Nginx, etc.)
GNU General Public License v3.0
1 stars 4 forks source link

Need help with regex #3

Closed dnlldl closed 1 year ago

dnlldl commented 1 year ago

The default regex doesn't work with my version of Apache apparently.

vm-dev:/usr/lib/check_mk_agent/plugins # ./access_logs.linux.py
<<<access_logs>>>
[/var/log/apache2/access_log]
error: No suitable regular expression configured to extract date and status code from line '10.1.1.1 - - [30/Apr/2023:23:47:21 -0400] "GET / HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"'

vm-dev:/usr/lib/check_mk_agent/plugins # httpd -v
Server version: Apache/2.4.51 (Linux/SUSE)
Server built:   2022-06-10 11:44:10.000000000 +0000

Default regex:

^(?:\S+\s+)+\[(?P<date>[^\]]+) \+\d\d\d\d\]\s+"[^"]*"\s+(?P<status>\d+)

Example log:

10.1.1.1 - - [16/Apr/2022:16:15:53 -0400] "\x16\x03\x01\x017\x01" 400 661 "-" "-"
10.1.1.1 - - [30/Apr/2023:23:44:55 -0400] "GET / HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36"

Toying around with regex I'm able to capture the 2 groups with the following but I'm not sure what to do next with <date> and <status>:

^.*\[(.*)\].*\"\s(\d\d\d)\s\-.*

Any help would be appreciated.

dnlldl commented 1 year ago

Seems to work with the following:

^(?:\S+\s+)+\[(?P<date>[^\]]+) \+\d\d\d\d\]\s+"[^"]*"\s+(?P<status>\d+) # original
^(?:\S+\s+)+\[(?P<date>[^\]]+) \-\d\d\d\d\]\s+"[^"]*"\s+(?P<status>\d+) # modified

Had to change it directly in the code however, in WATO when I save the regex just disappears (?).