Re: Hexadecimal representation of special characters breaking JSON logs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 2, 2024 at 6:54 PM Dominic Humphries
<dominic@xxxxxxxxxx.invalid> wrote:
>
> As per https://httpd.apache.org/docs/current/mod/mod_log_config.html#format-notes we see special characters getting represented in our logs by their hexadecimal representation - \xhh
>
> However, we output our logs in a json format, and this representation results in invalid JSON, which gives us problems when we forward them to Logstash.
>
> A path of /abc gives us the expected output: "@message": "GET /abc HTTP/1.1"
> which is valid JSON
> But a path of e.g. /abcé results in: "@message": "GET /abc\xc3\xa9 HTTP/1.1"
> which results in jq reporting parse error: Invalid escape
>
> Ideally, we'd like to disable the hex representation and just have the original string in our logs. Failing that, adding additional backslashes to escape the inserted hex seems like it should work, and I thought piping the log via sed would allow for this, but for some reason
>
> CustomLog "|$/usr/bin/sed 's/old/new/g' >> logfile" logstash_ext_json
>
> just results in nothing being logged to the file - no errors anywhere, just no logging happening.

sed may buffer input/output, so it might take a while before anything
is written to the logfile.

> Any advice on how to fix the logging so every special character doesn't break JSON parsing would be appreciated!

The correct solution - proper JSON-style escaping is currently stuck
in this Pull request:

https://github.com/apache/httpd/pull/429

If you build httpd yourself anyway, you can just apply that patch
locally, test it, and report your resuts in the pull request. That may
help it move towards getting merged into the 2.4 branch.

As a workaround, substitute \x with % in your log pipeline.

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux