Hi Luv, we use the following rules :
rule=http:%remote_addr:word% %ident:word% %auth:word% [%timestamp:char-to:]%] "%method:word% %request:word% HTTP/%httpversion:float%" %status:number% %bytes_sent:number% "%referrer:char-to:"%" "%agent:char-to:"%"%blob:rest% rule=http:%remote_addr:word% %ident:word% %auth:word% [%timestamp:char-to:]%] "%method:word% %request:word% HTTP/%httpversion:float%" %status:number% %bytes_sent:number% "%referrer:char-to:"%" "%agent:char-to:"%" rule=http: %remote_addr:word% %ident:word% %auth:word% [%timestamp:char-to:]%] "%method:word% %request:word% HTTP/%httpversion:float%" %status:number% %bytes_sent:number% "%referrer:char-to:"%" "%agent:char-to:"%"%blob:rest% rule=http: %remote_addr:word% %ident:word% %auth:word% [%timestamp:char-to:]%] "%method:word% %request:word% HTTP/%httpversion:float%" %status:number% %bytes_sent:number% "%referrer:char-to:"%" "%agent:char-to:"%" Our nginx access log rules look like this: log_format main '$remote_addr - $remote_user [$time_local] "$request "' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; On Tue, 13 Jun 2017 at 10:49 Luv via rsyslog <rsyslog@lists.adiscon.com> wrote: > I am sending logs to elasticsearch via rsyslog. For the parsing of those > logs, I am using liblognorm rule. > > I want to create fields of nginx logs, > > here is a log entry, > > 127.0.0.1 - kibanaadmin [13/Jun/2017:14:18:17 +0530] "GET > /ui/favicons/favicon-32x32.png HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; > Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0" > > > Here is the pattern file, > > version=2 > > rule=:%clientip:ipv4% - %user:word% [%timestamp:char-to:]%] %auth:word% > "%verb:alpha% %request:word%" %response:number% %bytes:number% > "%referrer:word"%" "%agent:char-to:{"extradata":"("}" > > The reason for parsefailure is I believe due to the date-time format. > > Can somebody help in creating a rule for parsing nginx logs ? > > > > > -- > View this message in context: > http://rsyslog-users.1305293.n2.nabble.com/liblognorm-rule-for-nginx-logs-tp7592454.html > Sent from the rsyslog-users mailing list archive at Nabble.com. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.