On Tue, 13 Jun 2017, Luv via rsyslog wrote:
I am sending logs to elasticsearch via rsyslog. For the parsing of those logs, I am using liblognorm rule.I want to create fields of nginx logs, here is a log entry, 127.0.0.1 - kibanaadmin [13/Jun/2017:14:18:17 +0530] "GET /ui/favicons/favicon-32x32.png HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0" Here is the pattern file, version=2 rule=:%clientip:ipv4% - %user:word% [%timestamp:char-to:]%] %auth:word% "%verb:alpha% %request:word%" %response:number% %bytes:number% "%referrer:word"%" "%agent:char-to:{"extradata":"("}" The reason for parsefailure is I believe due to the date-time format.
no, you get past that, your problem is in auth:word, there isn't an auth word in this line, it goes directly to the "verb
Can somebody help in creating a rule for parsing nginx logs ?
does nginx have an option to output in json? what is the log format as defined in the nginx config? David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
