Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPv6 address is not correctly parsed in nginx_ingress_controller integrations #4128

Closed
gsantoro opened this issue Sep 5, 2022 · 1 comment · Fixed by #4140
Closed

IPv6 address is not correctly parsed in nginx_ingress_controller integrations #4128

gsantoro opened this issue Sep 5, 2022 · 1 comment · Fixed by #4140
Assignees
@gsantoro
Labels
Integration:nginx_ingress_controller Nginx Ingress Controller Logs Team:Cloudnative-Monitoring Label for the Cloud Native Monitoring team [elastic/obs-cloudnative-monitoring]

Comments

@gsantoro
Copy link
Contributor

gsantoro commented Sep 5, 2022
edited
Loading

IPv6 addresses can be surrounded by [] like [2a02:cf40::]:9200 in some nginx ingress controller logs

2a02:cf40:: - remote_monitoring_user [24/Aug/2022:21:04:17 +0000] "POST /_bulk HTTP/1.1" 200 470 "-" "Elastic-metricbeat/7.16.3 (linux; amd64; e7cede6a62ed4452bd9044fc6f4947df; 2022-01-07 00:50:33 +0000 UTC)" 2057 0.033 [esmon-esmon-es-http-9200] [] [2a02:cf40::]:9200 470 0.036 200 3db73c6c673c4256ade033a6ce08c2ab

In some logs you can even find a list of ipv6/port like [2a02:cf40::7]:5000, [2a02:cf40::4e36]:5000

2a02:cf40::4e36 - - [24/Aug/2022:18:05:41 +0000] \"GET /favicon.ico HTTP/2.0\" 502 552 \"https://localhost:8080/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36\" 27 0.000 [localhost-8080] [] [2a02:cf40::7]:5000, [2a02:cf40::4e36]:5000 0, 0, 0 0.000, 0.000, 0.000 502, 502, 502 3db73c6c673c4256ade033a6ce08c2ab

The grok pattern in the ingest_pipeline /packages/nginx_ingress_controller/data_stream/access/elasticsearch/ingest_pipeline/default.yml has to be modified to correctly handle this use case.

I found a similar implementation at PR.

I found some references to the optional square brackets surrounding the IPv6 here. This article points to an official RFC suggesting that IPv6 should be surrounded by square brackets in URLs to distinguish IPv6 from ports.
@gsantoro gsantoro self-assigned this Sep 5, 2022
@gsantoro gsantoro added Integration:nginx_ingress_controller Nginx Ingress Controller Logs Team:Cloudnative-Monitoring Label for the Cloud Native Monitoring team [elastic/obs-cloudnative-monitoring] labels Sep 5, 2022
@gsantoro
Copy link
Contributor Author

gsantoro commented Sep 5, 2022

Similar issue at elastic/beats#32978

@legoguy1000 legoguy1000 mentioned this issue Sep 5, 2022
Closed
4 tasks
@gsantoro gsantoro mentioned this issue Sep 6, 2022
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gsantoro gsantoro

Labels
Integration:nginx_ingress_controller Nginx Ingress Controller Logs Team:Cloudnative-Monitoring Label for the Cloud Native Monitoring team [elastic/obs-cloudnative-monitoring]
Projects
None yet
Milestone
No milestone
1 participant
@gsantoro