Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Grok plugin CLOUDFRONT_ACCESS_LOG pattern does not compile #4604

Closed
joelmarty opened this issue Jun 5, 2024 · 0 comments · Fixed by #4607
Closed

[BUG] Grok plugin CLOUDFRONT_ACCESS_LOG pattern does not compile #4604

joelmarty opened this issue Jun 5, 2024 · 0 comments · Fixed by #4607
Labels
bug Something isn't working
Milestone
v2.9

Comments

@joelmarty
Copy link
Contributor

joelmarty commented Jun 5, 2024
edited
Loading

Describe the bug

I am trying to build a pipeline to ingest cloudfront logs to opensearch. I found in the grok plugin code that there is a CLOUDFRONT_ACCESS_LOG pattern for the grok processor, which is exactly what I need.
However, when using it, data-prepper fails with the following exception trace:

2024-06-05T16:41:15,109 [main] ERROR org.opensearch.dataprepper.parser.PipelineTransformer - Construction of pipeline components failed, skipping building of pipeline [cloudfront-pipeline] and its connected pipelines
org.opensearch.dataprepper.model.plugin.PluginInvocationException: Exception throw from the plugin'GrokProcessor'.
        at org.opensearch.dataprepper.plugin.PluginCreator.newPluginInstance(PluginCreator.java:60) ~[data-prepper-plugin-framework-2.8.0.jar:?]
        at org.opensearch.dataprepper.plugin.DefaultPluginFactory.loadPlugins(DefaultPluginFactory.java:105) ~[data-prepper-plugin-framework-2.8.0.jar:?]
        at org.opensearch.dataprepper.parser.PipelineTransformer.newProcessor(PipelineTransformer.java:170) ~[data-prepper-core-2.8.0.jar:?]
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[?:?]
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[?:?]
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?]
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921) ~[?:?]
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
        at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) ~[?:?]
        at org.opensearch.dataprepper.parser.PipelineTransformer.buildPipelineFromConfiguration(PipelineTransformer.java:126) ~[data-prepper-core-2.8.0.jar:?]
        at org.opensearch.dataprepper.parser.PipelineTransformer.transformConfiguration(PipelineTransformer.java:99) ~[data-prepper-core-2.8.0.jar:?]
        at org.opensearch.dataprepper.DataPrepper.<init>(DataPrepper.java:69) ~[data-prepper-core-2.8.0.jar:2.8.0]
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?]
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
        at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:211) ~[spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:117) ~[spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:311) ~[spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:296) ~[spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1372) ~[spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1222) ~[spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582) ~[spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542) ~[spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335) ~[spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) [spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333) [spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208) [spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:955) [spring-beans-5.3.28.jar:5.3.28]
        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:920) [spring-context-5.3.28.jar:5.3.28]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583) [spring-context-5.3.28.jar:5.3.28]
        at org.opensearch.dataprepper.AbstractContextManager.start(AbstractContextManager.java:59) [data-prepper-core-2.8.0.jar:2.8.0]
        at org.opensearch.dataprepper.AbstractContextManager.getDataPrepperBean(AbstractContextManager.java:45) [data-prepper-core-2.8.0.jar:2.8.0]
        at org.opensearch.dataprepper.DataPrepperExecute.main(DataPrepperExecute.java:39) [data-prepper-main-2.8.0.jar:2.8.0]
Caused by: java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?]
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
        at org.opensearch.dataprepper.plugin.PluginCreator.newPluginInstance(PluginCreator.java:53) ~[data-prepper-plugin-framework-2.8.0.jar:?]
        ... 35 more
Caused by: java.util.regex.PatternSyntaxException: Unclosed group near index 2322
(?:(?<timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))\s(?:(?!<[0-9])(?:(?:2[0123]|[01]?[0-9])):(?:(?:[0-5][0-9]))(?::(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))(?![0-9])))\s(?<name8>\S+)\s(?:-|(?<name9>(?:(?<name10>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))))))\s(?<name11>(?:(?<name12>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))|(?<name13>(?:(?<name14>((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)|(?<name15>(?<![0-9])(?:(?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](?:25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2}))(?![0-9]))))))\s(?<name16>\b\w+\b)\s(?<name17>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))\s(?<name18>\S+)\s(?:-|(?<name19>(?:(?<name20>(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))))))\s(?<name21>.*)\s(?<name22>.*)\s(?<name23>.*)\s(?<name24>.*)\s(?<name25>\b\w+\b)\s(?<name26>\S+)\s(?<name27>\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b))\s(?<name28>[A-Za-z]+(\+[A-Za-z+]+)?)\s(?:-|(?<name29>(?:[+-]?(?:[0-9]+))))\s(?:-|(?<name30>.*)\s(?<name31>.*)\s(?<name32>.*)\s(?<name33>.*)\s(?<name34>.*))
        at java.base/java.util.regex.Pattern.error(Pattern.java:2028) ~[?:?]
        at java.base/java.util.regex.Pattern.accept(Pattern.java:1878) ~[?:?]
        at java.base/java.util.regex.Pattern.group0(Pattern.java:3053) ~[?:?]
        at java.base/java.util.regex.Pattern.sequence(Pattern.java:2124) ~[?:?]
        at java.base/java.util.regex.Pattern.expr(Pattern.java:2069) ~[?:?]
        at java.base/java.util.regex.Pattern.compile(Pattern.java:1783) ~[?:?]
        at java.base/java.util.regex.Pattern.<init>(Pattern.java:1430) ~[?:?]
        at java.base/java.util.regex.Pattern.compile(Pattern.java:1069) ~[?:?]
        at io.krakens.grok.api.Grok.<init>(Grok.java:69) ~[java-grok-0.1.9.jar:?]
        at io.krakens.grok.api.GrokCompiler.compile(GrokCompiler.java:197) ~[java-grok-0.1.9.jar:?]
        at io.krakens.grok.api.GrokCompiler.compile(GrokCompiler.java:124) ~[java-grok-0.1.9.jar:?]
        at org.opensearch.dataprepper.plugins.processor.grok.GrokProcessor.lambda$compileMatchPatterns$3(GrokProcessor.java:240) ~[grok-processor-2.8.0.jar:?]
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[?:?]
        at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[?:?]
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?]
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921) ~[?:?]
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
        at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) ~[?:?]
        at org.opensearch.dataprepper.plugins.processor.grok.GrokProcessor.compileMatchPatterns(GrokProcessor.java:241) ~[grok-processor-2.8.0.jar:?]
        at org.opensearch.dataprepper.plugins.processor.grok.GrokProcessor.<init>(GrokProcessor.java:113) ~[grok-processor-2.8.0.jar:?]
        at org.opensearch.dataprepper.plugins.processor.grok.GrokProcessor.<init>(GrokProcessor.java:93) ~[grok-processor-2.8.0.jar:?]
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
        at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?]
        at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
        at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
        at org.opensearch.dataprepper.plugin.PluginCreator.newPluginInstance(PluginCreator.java:53) ~[data-prepper-plugin-framework-2.8.0.jar:?]
        ... 35 more

To Reproduce
Steps to reproduce the behavior:

  1. Create the following pipeline
cloudfront-pipeline:
  source:
    file:
      path: /input/sample.log
      format: plain
      codec:
        newline:
  processor:
    - drop_events:
        drop_when: '/message =~ "^#(Version|Fields).*"'
    - grok:
        keep_empty_captures: true
        match:
          message: ["%{CLOUDFRONT_ACCESS_LOG}"]
  sink:
    - stdout:
  1. Run the pipeline with a decompressed cloudfront access log file:
docker run \
-v ${HOME}/tmp/cdn_ingest/input_logs/short_sample.log:/input/sample.log \
-v ${PWD}/cloudfront-pipeline.yaml:/usr/share/data-prepper/pipelines/pipelines.yaml \
opensearchproject/data-prepper:latest
  1. The pipeline fails to start with the exception above

Expected behavior
The pipeline should start and process the cloudfront log lines

Screenshots
N/A

Environment (please complete the following information):

  • OS: MacOS Sonoma 14.1.1
  • Version: 2.8.0

Additional context
N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Data Prepper Tracking Board
Status: Done
Milestone
v2.9
Development

Successfully merging a pull request may close this issue.

Fix missing closing parenthesis in CLOUDFRONT_ACCESS_LOG pattern joelmarty/data-prepper
2 participants
@joelmarty @dlvenable