Foward slash in kibana 3 query

apache-2.2elasticsearchkibanalogstash

I'm trying to add a query that will match a request that ends with a slash, like this one:

n.n.n.n - - [16/Oct/2013:16:40:41 +0100] "GET / HTTP/1.1" 200 25058 "-" "Mozilla/5.0 (iPad; CPU OS 7_0_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A501 Safari/9537.53"

I'm using the Lucene query type.

If my query is set to *, I see the event.

If I set it to request:"css", I see CSS requests, as expected.

However, all of the following yield no results:

request:"/"
request:"\/"
request:"\\/"

I tried a Lucene regular expression, with no luck:

request:/\//

I note that someone else is getting what appears to be a similar issue, although that's on Kibana 2: https://github.com/rashidkpc/Kibana/issues/401

How can I query for requests that end with a / character?

Best Answer

What mapping have you defined?

Depending on the mapping you have defined on the [request] field, it is possible that the slash '/' is not stored in the elasticsearch index.

If you add a term panel to kibana for the [request] field, do you see the full request values, or do you see those values being split into keywords/term?

Related Solutions

Tomcat – 302/301 and 404 redirect issue for apache redirection for tomcat

Is there something validating the URL on the other side? What happens if you just go to ip.address:8080 do you get a 404? I am just wondering if it is something tomcat could be doing.

Also, if you add

"ProxyPreserveHost On"

this will keep the request header so you can pass it to tomcat.

Also, why do you have all of this? cgi-bin and such:

Options FollowSymLinks AllowOverride None

<Directory /home/ubuntu/www/apache/onlinetaskboarddotcom/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

<Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined

Strange GET requests on Apache and a lot of 404 errors every day

There's always a lot of "background noise" being generated by bots scanning random ip-ranges and trying for known vulnerabilities and exploits. It's a fact of modern digital life and you see evidence of that in your log files.
Keep your systems patched and up-to-date and learn to live with that.

When a lot of traffic is for more valid looking URL's that aren't and never were part of your website, you're most likely suffering from either:

a recycled domain. Your domain was registered and active in the past and a lot of links still point to content of the previous site owner. Live with it.
a recycled ip-address. The ip-address you've been assigned was used in the past by a previous tenant and when they terminated their hosting plan they didn't update/terminate their DNS accordingly. I.e. their traffic still comes to your server.
similar to above but one of your IP neigbours made a typo in their DNS configuration.

The latter two are roughly the same: you don't own or operate www.example.org but it's still registered and pointing to your ip-address and you see traffic for them coming to your server.
Quite similar to moving to a new address either receiving mail for the previous owner or mail for Mrs Adams on number 13 being addressed to Mrs Adams at your number 30 instead.

Ideally you can identify and contact the owner of the mis-configured domain and they'll update their DNS.
Alternatively you create a separate name-based virtual host for www.example.com making the log files for your actual domain cleaner and reduce the impact by using a tiny error message instead of a nicely crafted HTML page.

Best Answer

Related Solutions

Tomcat – 302/301 and 404 redirect issue for apache redirection for tomcat

Strange GET requests on Apache and a lot of 404 errors every day

Related Topic