fix issue #7

bitsofinfo · bitsofinfo · commit ccfc61e4ef83 · 2014-07-16T12:55:19.000-04:00
fix issue #7
diff --git a/logstash-modsecurity.conf b/logstash-modsecurity.conf
@@ -168,28 +168,41 @@ filter {
 
 
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-  # Parse out fields from Section F (response related, line 1)
+  # Parse out server protocol/HTTP status from Section F (response related, line 1)
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-  # if the server responded...
-  if [rawSectionF] =~ /.+/ {
+   # response section (NO headers)
+  if [rawSectionF] =~ /(.+?)\s(.+?)$/ {
+        
+        		
+      grok {
+              singles => true
+              match => {
+                      "rawSectionF" => "(?<serverProtocol>.+?)\s(?<responseStatus>.+)$"
+                      }
+              patterns_dir => "./patterns/modsecurity_grok_patterns"
+      }
 
+  # response section (WITH headers)
+  } else if [rawSectionF] =~ /(.+?)\s(.+)\n{1}/ {
+  
     grok {
-      match => {
-        "rawSectionF" => "(?<serverProtocol>.+?)\s(?<responseStatus>.+)\n{1}"
-      }
-      patterns_dir => "./patterns/logstash_modsecurity_patterns"
+            singles => true
+            match => {
+                    "rawSectionF" => "(?<serverProtocol>.+?)\s(?<responseStatus>.+)\n{1}"
+                    }
+            patterns_dir => "./patterns/modsecurity_grok_patterns"
     }
 
-  }
+  } 
 
 
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-  # Parse out fields from Section F (response headers)
+  # Parse out response headers from Section F (response headers, lines 2+)
   #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-    # only if the server responded...
-    if [rawSectionF] =~ /.+/ {
+    # only if the server responded...WITH headers...
+    if [rawSectionF] =~ /(.+?)\s(.+)\n{1}/ {
 
       grok {
         match => {
