can't parse custom logs #5

abgit · 2013-08-05T21:06:50Z

I'm trying to get goaccess working. Already take some time on docs and examples but without success.

Basically i have log lines like:

10031488_71334 xpto.domain.com 88.103.999.999 - - [16/Jun/2013:15:03:26 +0000] "GET / HTTP/1.1" 500 5624 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0" -

and already compile goaccess and create a conf file:

cat ~/.goaccessrc
date_format %d/%b/%Y:%T %z
log_format %^ %^ %h - - [$d] "%r" %s %b "%R" "%u" %^

Then i got:

./goaccess -a -f miniout.log
GoAccess - version 0.6 - Aug  5 2013 20:20:16
An error has occurred
Error occured at: goaccess.c - render_screens - 358
Message: Nothing valid to process.

The text was updated successfully, but these errors were encountered:

allinurl · 2013-08-05T21:31:03Z

The following should do it. Just make sure you have a valid IP. (88.103.999.999 won't let you parse the log)

log_format %^ %^ %h %^[%d:%^] "%r" %s %b "%R" "%u"
date_format %d/%b/%Y

abgit · 2013-08-05T21:44:25Z

Now it works as expected. Thanks.

about valid ip: 88.103.999.999 was just a obuscation. valid ip's are always used;
btw, if ip is not valid, goaccess aborts parsing or just ignores log entry with invalid ip?
just an idea that can be usefull to others: this log format is the one used by rackspace. because you have amazon-couldfront log format option in log format configuration wizard, maybe you could add this rackspace-akamai format too :)

allinurl · 2013-08-05T21:48:09Z

@abgit goaccess will ignore the entry and take it as an invalid request.
I can add the Rackspace format too, do you know if they have some documentation about this that I can refer to?

abgit · 2013-08-06T08:59:44Z

I don't find docs about log format but i know that rackspace has 2 log formats because i'm using their services from some time.

rackspace loadbalancers log:
10031488_71334 xpto.domain.com 88.103.999.999 - - [16/Jun/2013:15:03:26 +0000] "GET / HTTP/1.1" 500 5624 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0" 10.201.201.5:80
rackspace cdn log:
5.3.56.7 - - [18/Jun/2013:19:50:09 +0000] "GET /1123123a07d61231233a-8d685f5f11665a311231230a1cc93333.r66.cf6.rackcdn.com/ HTTP/1.1" 404 363 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0" "-"

Balancer log format preprends balancerid and domain and at end adds internal httpserver node ip and port, rackspace cdn sounds like standard format.

allinurl · 2013-08-07T13:16:45Z

Seems like the CDN can be parsed using the NCSA Combined Log Format. I'll add the Load Balancer format to the predefined options.

abgit · 2013-08-07T13:22:10Z

that's nice. rackspace loadbalancer format can be useful to others :)
thanks

Do not exit immediately, instead call previously set sigsev handler, which might be a handler provided by a third party tool like ASAN. Example extended crash output: ==23351== GoAccess 1.4 crashed by Sig 11 ==23351== ==23351== VALUES AT CRASH POINT ==23351== ==23351== Line number: 10000 ==23351== Offset: 10000 ==23351== Invalid data: 0 ==23351== Piping: 0 ==23351== ==23351== STACK TRACE: ==23351== ==23351== 0 ./goaccess(backtrace+0x5b) [0x45d88b] ==23351== 1 ./goaccess(sigsegv_handler+0x14a) [0x4d9dca] ==23351== 2 /lib/x86_64-linux-gnu/libpthread.so.0(+0x14110) [0x7f4ed7e4c110] ==23351== 3 ./goaccess(parse_raw_data+0x5d) [0x50bd3d] ==23351== 4 ./goaccess() [0x54c896] ==23351== 5 ./goaccess() [0x552d3f] ==23351== 6 ./goaccess() [0x550bb5] ==23351== 7 ./goaccess() [0x54fc26] ==23351== 8 ./goaccess() [0x54a9d1] ==23351== 9 ./goaccess(main+0x2b4) [0x549c74] ==23351== 10 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7f4ed7b2ae0b] ==23351== 11 ./goaccess(_start+0x2a) [0x42686a] ==23351== ==23351== Please report it by opening an issue on GitHub: ==23351== https://github.com/allinurl/goaccess/issues AddressSanitizer:DEADLYSIGNAL ================================================================= ==23351==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000050bd3d bp 0x7ffef6429050 sp 0x7ffef6429030 T0) ==23351==The signal is caused by a READ memory access. ==23351==Hint: address points to the zero page. #0 0x50bd3d in parse_raw_data /home/christian/Coding/workspaces/goaccess/src/gkhash.c:3097:44 allinurl#1 0x54c895 in allocate_holder_by_module /home/christian/Coding/workspaces/goaccess/src/goaccess.c:303:14 allinurl#2 0x552d3e in expand_module_from_ypos /home/christian/Coding/workspaces/goaccess/src/goaccess.c:524:3 allinurl#3 0x550bb4 in expand_on_mouse_click /home/christian/Coding/workspaces/goaccess/src/goaccess.c:541:5 allinurl#4 0x54fc25 in get_keys /home/christian/Coding/workspaces/goaccess/src/goaccess.c:1060:7 allinurl#5 0x54a9d0 in curses_output /home/christian/Coding/workspaces/goaccess/src/goaccess.c:1171:3 allinurl#6 0x549c73 in main /home/christian/Coding/workspaces/goaccess/src/goaccess.c:1469:5 allinurl#7 0x7f4ed7b2ae0a in __libc_start_main csu/../csu/libc-start.c:308:16 allinurl#8 0x426869 in _start (/home/christian/Coding/workspaces/goaccess/goaccess+0x426869) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/christian/Coding/workspaces/goaccess/src/gkhash.c:3097:44 in parse_raw_data ==23351==ABORTING

Do not exit immediately, instead call previously set sigsegv handler, which might be a handler provided by a third party tool like ASAN. Example extended crash output: ==23351== GoAccess 1.4 crashed by Sig 11 ==23351== ==23351== VALUES AT CRASH POINT ==23351== ==23351== Line number: 10000 ==23351== Offset: 10000 ==23351== Invalid data: 0 ==23351== Piping: 0 ==23351== ==23351== STACK TRACE: ==23351== ==23351== 0 ./goaccess(backtrace+0x5b) [0x45d88b] ==23351== 1 ./goaccess(sigsegv_handler+0x14a) [0x4d9dca] ==23351== 2 /lib/x86_64-linux-gnu/libpthread.so.0(+0x14110) [0x7f4ed7e4c110] ==23351== 3 ./goaccess(parse_raw_data+0x5d) [0x50bd3d] ==23351== 4 ./goaccess() [0x54c896] ==23351== 5 ./goaccess() [0x552d3f] ==23351== 6 ./goaccess() [0x550bb5] ==23351== 7 ./goaccess() [0x54fc26] ==23351== 8 ./goaccess() [0x54a9d1] ==23351== 9 ./goaccess(main+0x2b4) [0x549c74] ==23351== 10 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7f4ed7b2ae0b] ==23351== 11 ./goaccess(_start+0x2a) [0x42686a] ==23351== ==23351== Please report it by opening an issue on GitHub: ==23351== https://github.com/allinurl/goaccess/issues AddressSanitizer:DEADLYSIGNAL ================================================================= ==23351==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000050bd3d bp 0x7ffef6429050 sp 0x7ffef6429030 T0) ==23351==The signal is caused by a READ memory access. ==23351==Hint: address points to the zero page. #0 0x50bd3d in parse_raw_data /home/christian/Coding/workspaces/goaccess/src/gkhash.c:3097:44 allinurl#1 0x54c895 in allocate_holder_by_module /home/christian/Coding/workspaces/goaccess/src/goaccess.c:303:14 allinurl#2 0x552d3e in expand_module_from_ypos /home/christian/Coding/workspaces/goaccess/src/goaccess.c:524:3 allinurl#3 0x550bb4 in expand_on_mouse_click /home/christian/Coding/workspaces/goaccess/src/goaccess.c:541:5 allinurl#4 0x54fc25 in get_keys /home/christian/Coding/workspaces/goaccess/src/goaccess.c:1060:7 allinurl#5 0x54a9d0 in curses_output /home/christian/Coding/workspaces/goaccess/src/goaccess.c:1171:3 allinurl#6 0x549c73 in main /home/christian/Coding/workspaces/goaccess/src/goaccess.c:1469:5 allinurl#7 0x7f4ed7b2ae0a in __libc_start_main csu/../csu/libc-start.c:308:16 allinurl#8 0x426869 in _start (/home/christian/Coding/workspaces/goaccess/goaccess+0x426869) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/christian/Coding/workspaces/goaccess/src/gkhash.c:3097:44 in parse_raw_data ==23351==ABORTING

Check if requested string is long enough for comparison. ==65303==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000013a4d at pc 0x00000043e1cb bp 0x7ffe4e3c09a0 sp 0x7ffe4e3c0140 READ of size 1 at 0x602000013a4d thread T0 #0 0x43e1ca in __interceptor_strncasecmp (/home/christian/Coding/workspaces/goaccess/goaccess+0x43e1ca) allinurl#1 0x5922e0 in verify_static_content /home/christian/Coding/workspaces/goaccess/src/parser.c allinurl#2 0x5922e0 in is_static /home/christian/Coding/workspaces/goaccess/src/parser.c:1487:10 allinurl#3 0x58ecbc in pre_process_log /home/christian/Coding/workspaces/goaccess/src/parser.c:1775:12 allinurl#4 0x593bd5 in read_line /home/christian/Coding/workspaces/goaccess/src/parser.c:1797:14 allinurl#5 0x593bd5 in read_lines /home/christian/Coding/workspaces/goaccess/src/parser.c:1914:16 allinurl#6 0x593bd5 in read_log /home/christian/Coding/workspaces/goaccess/src/parser.c:2008:7 allinurl#7 0x593bd5 in parse_log /home/christian/Coding/workspaces/goaccess/src/parser.c:2059:9 allinurl#8 0x55c83a in main /home/christian/Coding/workspaces/goaccess/src/goaccess.c:1612:14 allinurl#9 0x7f00dae96e49 in __libc_start_main csu/../csu/libc-start.c:314:16 allinurl#10 0x4289d9 in _start (/home/christian/Coding/workspaces/goaccess/goaccess+0x4289d9) 0x602000013a4d is located 3 bytes to the left of 3-byte region [0x602000013a50,0x602000013a53) allocated by thread T0 here: #0 0x4a519d in malloc (/home/christian/Coding/workspaces/goaccess/goaccess+0x4a519d) allinurl#1 0x61d38a in xmalloc /home/christian/Coding/workspaces/goaccess/src/xmalloc.c:46:14 allinurl#2 0x61d569 in xstrdup /home/christian/Coding/workspaces/goaccess/src/xmalloc.c:58:9 allinurl#3 0x59b1ac in decode_url /home/christian/Coding/workspaces/goaccess/src/parser.c:325:19 allinurl#4 0x59b6a3 in parse_req /home/christian/Coding/workspaces/goaccess/src/parser.c:559:16 allinurl#5 0x5978df in parse_specifier /home/christian/Coding/workspaces/goaccess/src/parser.c:1026:20 allinurl#6 0x5904aa in parse_format /home/christian/Coding/workspaces/goaccess/src/parser.c:1382:18 allinurl#7 0x58dc07 in pre_process_log /home/christian/Coding/workspaces/goaccess/src/parser.c:1743:11 allinurl#8 0x593bd5 in read_line /home/christian/Coding/workspaces/goaccess/src/parser.c:1797:14 allinurl#9 0x593bd5 in read_lines /home/christian/Coding/workspaces/goaccess/src/parser.c:1914:16 allinurl#10 0x593bd5 in read_log /home/christian/Coding/workspaces/goaccess/src/parser.c:2008:7 allinurl#11 0x593bd5 in parse_log /home/christian/Coding/workspaces/goaccess/src/parser.c:2059:9 allinurl#12 0x55c83a in main /home/christian/Coding/workspaces/goaccess/src/goaccess.c:1612:14 allinurl#13 0x7f00dae96e49 in __libc_start_main csu/../csu/libc-start.c:314:16

ghost assigned allinurl Aug 7, 2013

abgit closed this as completed Aug 7, 2013

abgit reopened this Aug 7, 2013

abgit closed this as completed Aug 7, 2013

TempleNode mentioned this issue Sep 9, 2015

GoAccess 0.9.3 crashed by Signal 11 when loading persisted data #296

Closed

buluxan mentioned this issue May 20, 2016

How to get the public ip on my Apache Amazon EC2 logs #417

Closed

Nykoshiro mentioned this issue Aug 20, 2019

Docker-compose : Goaccess cannot find log #1494

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

can't parse custom logs #5

can't parse custom logs #5

abgit commented Aug 5, 2013

allinurl commented Aug 5, 2013

abgit commented Aug 5, 2013

allinurl commented Aug 5, 2013

abgit commented Aug 6, 2013

allinurl commented Aug 7, 2013

abgit commented Aug 7, 2013

can't parse custom logs #5

can't parse custom logs #5

Comments

abgit commented Aug 5, 2013

allinurl commented Aug 5, 2013

abgit commented Aug 5, 2013

allinurl commented Aug 5, 2013

abgit commented Aug 6, 2013

allinurl commented Aug 7, 2013

abgit commented Aug 7, 2013