Hello,
starting from at least Stirling-PDF Docker version 2.9.2-fat, the log entry for failed login attempts has changed.
Here is a current example from info.log:
2026-04-08 09:16:09,366 WARN s.s.p.s.c.a.AuthController [jetty-169] Invalid password for user: Sascha from IP: 103.69.224.16
2026-04-08 09:24:58,908 WARN s.s.p.s.c.a.AuthController [jetty-275] Invalid password for user: Sascha from IP: 103.69.224.16
2026-04-08 09:25:01,732 WARN s.s.p.s.c.a.AuthController [jetty-279] Invalid password for user: Sascha from IP: 103.69.224.16
In my opinion, the grok pattern should be updated (or extended for compatibility with older Stirling-PDF versions) as follows:
pattern: "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_level} %{DATA:logger} \\[%{DATA:thread}\\] Invalid password for user: %{DATA:username} from IP: %{IP:source_ip}"
#Old: pattern: "%{TIMESTAMP_ISO8601:timestamp} %{WORD:log_level} .*CustomAuthenticationFailureHandler \\[.*\\] Failed login attempt from IP: \\[?%{IP:source_ip}\\]?"
With this adjustment, the logs are parsed correctly:
Thanks for fix it :-)
Hello,
starting from at least Stirling-PDF Docker version 2.9.2-fat, the log entry for failed login attempts has changed.
Here is a current example from info.log:
In my opinion, the grok pattern should be updated (or extended for compatibility with older Stirling-PDF versions) as follows:
With this adjustment, the logs are parsed correctly:
Thanks for fix it :-)