Open fadenb opened 8 years ago
Hey :)
I just found a weird http_version being extracted: v0.18.2 I traced it back to the following message (some parts redacted)
YYYYYYYYYYYY nginx: 151.ZZZ.48.28 - - [11/May/2016:19:07:39 +0000] "GET / HTTP/1.1" 301 178 "http://XXXXXXXXX.de/" "Pcore-HTTP/v0.18.2" "-" <msec=1462993659.671|connection=1121932|connection_requests=1|millis=0.000>
To me it looks like the current http_version extractor rule nginx:.+HTTP/(\S+)" is not specific enough and matches the last occurrence of HTTP/ followed by a string. In this case parts of the user agent matched and were extracted.
nginx:.+HTTP/(\S+)"
Hey :)
I just found a weird http_version being extracted: v0.18.2 I traced it back to the following message (some parts redacted)
To me it looks like the current http_version extractor rule
nginx:.+HTTP/(\S+)"is not specific enough and matches the last occurrence of HTTP/ followed by a string. In this case parts of the user agent matched and were extracted.