Skip to content

[aws] Update AWS ALB Grok patterns to parse logs with conn_trace_id field and malformed requests missing HTTP versions #16755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
devamanv merged 4 commits into from
Jan 11, 2026
Merged

[aws] Update AWS ALB Grok patterns to parse logs with conn_trace_id field and malformed requests missing HTTP versions #16755

devamanv merged 4 commits into from
Jan 11, 2026

Conversation

@devamanv
Copy link
Contributor

@devamanv devamanv commented Jan 4, 2026
edited
Loading

Proposed commit message

The PR contains changes to modify the AWS ALB Grok pattern to support the conn_trace_id field and parse malformed requests missing HTTP versions, which is as follows:

http 2025-05-01T11:24:32.748149Z app/internal-service-alb/abcd1234efgh5678 127.0.0.1:57273 - -1 -1 -1 200 - 0 272 "- http://internal-service-alb.example.com:80-/ " "-" - - - "-" "-" "-" - 2025-05-01T11:24:32.720000Z "-" "-" "-" "-" "-" "-" "-" TID_00000000000000000000000000000000

Reference: AWS ELB Access Log entries

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • All pipeline tests should still pass

Related issues

@devamanv devamanv requested review from a team as code owners January 4, 2026 09:59
@devamanv devamanv mentioned this pull request Jan 4, 2026
Closed
6 tasks
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 4, 2026
edited
Loading

🚀 Benchmarks report

Package aws 👍(14) 💚(5) 💔(3)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
cloudwatch_logs 1e+06 500000 -500000 (-50%) 💔
elb_logs 4739.34 577.03 -4162.31 (-87.82%) 💔
emr_logs 20000 13513.51 -6486.49 (-32.43%) 💔

To see the full report comment with /test benchmark fullreport

tommyers-elastic
tommyers-elastic reviewed Jan 5, 2026
View reviewed changes
@jsevidal13
Copy link

jsevidal13 commented Jan 6, 2026

Hello team! The customer mentioned in https://github.com/elastic/sdh-beats/issues/6770 is waiting for this PR to be merged before I can close out their support case.

Is there an ETA I could share with them on when this can be merged? 🙏

@devamanv
Copy link
Contributor Author

devamanv commented Jan 7, 2026

@jsevidal13 we are trying to close it ASAP, hopefully by end of this week. Hope that's okay.

@jsevidal13
Copy link

jsevidal13 commented Jan 7, 2026

@jsevidal13 we are trying to close it ASAP, hopefully by end of this week. Hope that's okay.

Thanks, @devamanv! I'll let the customer know.

@andrewkroh andrewkroh added Integration:aws AWS Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] labels Jan 8, 2026
@devamanv devamanv changed the title [aws] Update ELB Grok pattern to support minor changes in the log format [aws] Update AWS ALB Grok patterns to support the conn_trace_id field and parse malformed requests missing HTTP versions Jan 9, 2026
@devamanv devamanv changed the title [aws] Update AWS ALB Grok patterns to support the conn_trace_id field and parse malformed requests missing HTTP versions [aws] Update AWS ALB Grok patterns to support the conn_trace_id field and parse malformed requests missing HTTP versions Jan 9, 2026
@devamanv devamanv changed the title [aws] Update AWS ALB Grok patterns to support the conn_trace_id field and parse malformed requests missing HTTP versions [aws] Update AWS ALB Grok patterns to support logs with conn_trace_id field and malformed requests missing HTTP versions Jan 9, 2026
@devamanv devamanv changed the title [aws] Update AWS ALB Grok patterns to support logs with conn_trace_id field and malformed requests missing HTTP versions [aws] Update AWS ALB Grok patterns to parse logs with conn_trace_id field and malformed requests missing HTTP versions Jan 9, 2026
@elasticmachine
Copy link

elasticmachine commented Jan 11, 2026

💚 Build Succeeded

History

@devamanv devamanv merged commit 7e48893 into elastic:main Jan 11, 2026
8 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 11, 2026

Package aws - 5.6.0 containing this change is available at https://epr.elastic.co/package/aws/5.6.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tommyers-elastic tommyers-elastic tommyers-elastic approved these changes

Assignees

No one assigned

Labels

Integration:aws AWS Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@devamanv @jsevidal13 @elasticmachine @tommyers-elastic @andrewkroh