@@ -111,7 +111,7 @@ filter {
111111
112112 grok {
113113 match => {
114- "rawSectionB" => "%{DATA:httpMethod}\s(?<requestedUri>\S+)\s(?<incomingProtocol>.+)\n{1}"
114+ "rawSectionB" => "%{DATA:httpMethod}\s(?<requestedUri>\S+)\s(?<incomingProtocol>.+? )\n{1}"
115115 }
116116 patterns_dir => "./patterns/logstash_modsecurity_patterns"
117117 }
@@ -145,11 +145,11 @@ filter {
145145 # Parse out fields from Section B (request headers, line 2+)
146146 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
147147
148- if [rawSectionB] =~ /.+\n(?m).+/ {
148+ if [rawSectionB] =~ /.+? \n(?m).+/ {
149149
150150 grok {
151151 match => {
152- "rawSectionB" => ".+\n(?m)(?<raw_requestHeaders>.+)"
152+ "rawSectionB" => ".+? \n(?m)(?<raw_requestHeaders>.+)"
153153 }
154154 patterns_dir => "./patterns/logstash_modsecurity_patterns"
155155 }
@@ -177,18 +177,18 @@ filter {
177177 grok {
178178 singles => true
179179 match => {
180- "rawSectionF" => "(?<serverProtocol>.+?)\s(?<responseStatus>.+)$"
180+ "rawSectionF" => "(?<serverProtocol>.+?)\s(?<responseStatus>.+? )$"
181181 }
182182 patterns_dir => "./patterns/logstash_modsecurity_patterns"
183183 }
184184
185185 # response section (WITH headers)
186- } else if [rawSectionF] =~ /(.+?)\s(.+)\n{1}/ {
186+ } else if [rawSectionF] =~ /(.+?)\s(.+? )\n{1}/ {
187187
188188 grok {
189189 singles => true
190190 match => {
191- "rawSectionF" => "(?<serverProtocol>.+?)\s(?<responseStatus>.+)\n{1}"
191+ "rawSectionF" => "(?<serverProtocol>.+?)\s(?<responseStatus>.+? )\n{1}"
192192 }
193193 patterns_dir => "./patterns/logstash_modsecurity_patterns"
194194 }
@@ -205,7 +205,7 @@ filter {
205205
206206 grok {
207207 match => {
208- "rawSectionF" => ".+\n(?m)(?<raw_responseHeaders>.+)"
208+ "rawSectionF" => ".+? \n(?m)(?<raw_responseHeaders>.+)"
209209 }
210210 patterns_dir => "./patterns/logstash_modsecurity_patterns"
211211 }
0 commit comments