Need Help, EventLogAnalyzer not parsing apache-style logs I send to it

Need Help, EventLogAnalyzer not parsing apache-style logs I send to it

I am seeing these warnings in the eventlog.out file that my apache logs are reaching the server but they are not being parsed, the host doesn't even show up in the list of hosts.  

  1. NO match for Key/regex for this Format SysLog with id 112 
  2. Key line is 98.115.16.2 - - [20/Mar/2015:23:31:04 -0400] "POST https://services.local/PFMDataServicesDev/Service1.svc HTTP/1.1" 200 1366 "-" "-" TCP_MISS:FIRSTUP_PARENT/services1  
  3. Unable to find KEY for this Format Unix with id 10 
  4. Unable to find key Unix 10 
Here is the full dump of the parse error

  1.         @@@@@ Inside SendUdpPacket() @@@@@
  2. Packet[565] sent
  3. Got Pac[203] : <150>Mar 20 23:34:01 proxy5 squid: 98.115.16.10 - - [20/Mar/2015:23:34:01 -0400] "POST https://services.local/PFMDataServicesDev/Service1.svc HTTP/1.1" 200 1356 "-" "-" TCP_MISS:FIRSTUP_PARENT/services1
  4. Old Unix Id is 398
  5. Started populating 
  6. HostType : Unix
  7. Timestamp parsed as 2015-03-20 23:00:00
  8. Priority : 150
  9. fac : 18
  10. sev : 6
  11. Key line is 98.115.16.10 - - [20/Mar/2015:23:34:01 -0400] "POST https://services.local/PFMDataServicesDev/Service1.svc HTTP/1.1" 200 1356 "-" "-" TCP_MISS:FIRSTUP_PARENT/services1  
  12. Unable to find KEY for this Format Unix with id 10 
  13. Unable to find key Unix 10 
  14. NO match for Key/regex for this Format SysLog with id 112 
  15. ParseLogForIE KEY FAILED
  16. Applying filter over.
I can adjust the format of the log entry being generated, it's basically apache access_log style.  Web log analysis programs are able to parse this format.  Here's another example.

  1.         @@@@@ Inside SendUdpPacket() @@@@@
  2. Packet[353] sent
  3. Got Pac[352] : <150>Mar 20 23:34:01 proxy5 squid: 98.115.16.2 - - [20/Mar/2015:23:34:01 -0400] "POST https://apps.pfm.us/mobileservices/monthlycal.svc/checkscheduleupdates HTTP/1.1" 200 1589 "https://apps.pfm.us/calendars/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36" TCP_MISS:FIRSTUP_PARENT/apps1ssl
  4. Old Unix Id is 398
  5. Started populating 
  6. HostType : Unix
  7. Timestamp parsed as 2015-03-20 23:00:00
  8. Priority : 150
  9. fac : 18
  10. sev : 6
  11. Key line is 98.115.16.2 - - [20/Mar/2015:23:34:01 -0400] "POST https://apps.pfm.us/mobileservices/monthlycal.svc/checkscheduleupdates HTTP/1.1" 200 1589 "https://apps.pfm.us/calendars/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36" TCP_MISS:FIRSTUP_PARENT/apps1ssl  
  12. Unable to find KEY for this Format Unix with id 10 
  13. Unable to find key Unix 10 
  14. NO match for Key/regex for this Format SysLog with id 112 
  15. ParseLogForIE KEY FAILED
  16. Applying filter over.
Any suggestions on how to proceed?  I think I either need to put a tag in my customformat so it recognizes this as an apache-access-log format, or I need to build my own custom parse rule (and I don't know how to do that).

Thanks!


              New to ADManager Plus?

                New to ADSelfService Plus?