Hi Luv,
we use the following rules :
rule=http:%remote_addr:word% %ident:word% %auth:word%
[%timestamp:char-to:]%] "%method:word% %request:word%
HTTP/%httpversion:float%" %status:number% %bytes_sent:number%
"%referrer:char-to:"%" "%agent:char-to:"%"%blob:rest%
rule=http:%remote_addr:word% %ident:word% %auth:word%
[%timestamp:char-to:]%] "%method:word% %request:word%
HTTP/%httpversion:float%" %status:number% %bytes_sent:number%
"%referrer:char-to:"%" "%agent:char-to:"%"
rule=http: %remote_addr:word% %ident:word% %auth:word%
[%timestamp:char-to:]%] "%method:word% %request:word%
HTTP/%httpversion:float%" %status:number% %bytes_sent:number%
"%referrer:char-to:"%" "%agent:char-to:"%"%blob:rest%
rule=http: %remote_addr:word% %ident:word% %auth:word%
[%timestamp:char-to:]%] "%method:word% %request:word%
HTTP/%httpversion:float%" %status:number% %bytes_sent:number%
"%referrer:char-to:"%" "%agent:char-to:"%"
Our nginx access log rules look like this:
log_format main '$remote_addr - $remote_user [$time_local] "$request "'
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
On Tue, 13 Jun 2017 at 10:49 Luv via rsyslog <rsyslog@lists.adiscon.com>
wrote:
> I am sending logs to elasticsearch via rsyslog. For the parsing of those
> logs, I am using liblognorm rule.
>
> I want to create fields of nginx logs,
>
> here is a log entry,
>
> 127.0.0.1 - kibanaadmin [13/Jun/2017:14:18:17 +0530] "GET
> /ui/favicons/favicon-32x32.png HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11;
> Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0"
>
>
> Here is the pattern file,
>
> version=2
>
> rule=:%clientip:ipv4% - %user:word% [%timestamp:char-to:]%] %auth:word%
> "%verb:alpha% %request:word%" %response:number% %bytes:number%
> "%referrer:word"%" "%agent:char-to:{"extradata":"("}"
>
> The reason for parsefailure is I believe due to the date-time format.
>
> Can somebody help in creating a rule for parsing nginx logs ?
>
>
>
>
> --
> View this message in context:
> http://rsyslog-users.1305293.n2.nabble.com/liblognorm-rule-for-nginx-logs-tp7592454.html
> Sent from the rsyslog-users mailing list archive at Nabble.com.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
