Http requests like "\x16\x03\x01\x01\x22"

Hi,
so for writing a grok pattern to extract certain information, you should first look for the fields you want to extract.
So for your log-line i assume you want the ip, timestamp and raw_data and maybe the response code, and you only want to parse these complex requests that start with .

So your log looks like an nginx accesslog, but the attacker doesn’t use standard request methods like GET, HEAD or POST.
For that you need to correct the grok line to parse these complex requests. I therefore removed the method, request and http_version fields and replaced them with a single %{DATA:raw_request}.
The "\ before that is necessary to only parse logs starting with . As \ is a special character, we need to escape it with a \ before it.

%{IPORHOST:remote_addr} - %{NGUSER:remote_user} \[%{HTTPDATE:time_local}\] "\\%{DATA:raw_request}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}"

Best reguards
Dominic

1 Like