search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.16k stars 4.91k forks source link

[Filebeat] Bad URI parsing in HAProxy pipeline #37441

Open trympet opened 10 months ago

trympet commented 10 months ago

HAProxy with default HTTP log yields garbage for the http request method if the request uri is an absolute URL.

When parsing the message

Feb  6 12:14:14 localhost haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} {} "GET https://example.com/foo/bar HTTP/1.1"

the expected behavior is that http.request.method = GET. Actual behavior is http.request.method = com.

Proposed solution is to update pipeline.yml to parse the request header according to the language defined by https://www.rfc-editor.org/rfc/rfc2616#section-5.1.2:

Request-URI    = "*" | absoluteURI | abs_path | authority

For reference, the default HAProxy HTTP log format is described here: https://www.haproxy.com/documentation/haproxy-configuration-manual/1-8r1/#8.2.3

Thanks!

Filebeat version: 8.5.0

botelastic[bot] commented 10 months ago

This issue doesn't have a Team:<team> label.