Re: [rsyslog] liblognorm rule for nginx logs

Tue, 13 Jun 2017 04:08:43 -0700 

Here bob, this is my configuration for sending the logs to elasticsearch.

template(name="all-json-nginx"
    type="list"){
 property(name="$!all-json")
 }


if $programname == 'nginx' then {

action(type="mmnormalize"
  rulebase="/opt/rsyslog/apache.rb"   # file where rules are kept for
parsing
)

if $parsesuccess == "OK" then {
action(type="omelasticsearch"
  template="all-json-nginx"  # use the template defined earlier
  searchIndex="aaaaaaaaaaaa"
  searchType="nginx"
  server="127.0.0.1"
  serverport="9200"
  bulkmode="on"  # use the bulk API
  action.resumeretrycount="-1"  # retry indefinitely if
Logsene/Elasticsearch is unreachable
) } else action(type="omelasticsearch"
  template="all-json-apache"  # use the template defined earlier
  searchIndex="nginx-logs-2"
  searchType="nginx"
  server="127.0.0.1"
  serverport="9200"
  bulkmode="on"  # use the bulk API
  action.resumeretrycount="-1"  # retry indefinitely if
Logsene/Elasticsearch is unreachable
)

} else {
 action( name="all-logs"
       type="omelasticsearch"
       template="JSONDefault"
       server="127.0.0.1"
       serverport="9200"
       searchIndex="test1"
       bulkmode="on"
       action.resumeretrycount="-1"
)
}




And here are the fields in index "aaaaaaaaaaaa", 

      {
        "_index" : "aaaaaaaaaaaa",
        "_type" : "nginx",
        "_id" : "AVyhAYODBtmjLGraDsh5",
        "_score" : 1.0,
        "_source" : {
          "blob" : " \"-\"",
          "agent" : "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0)
Gecko/20100101 Firefox/53.0",
          "referrer" : "http://127.0.0.1:8012/app/kibana";,
          "bytes_sent" : "980",
          "status" : "200",
          "httpversion" : "1.1",
          "request" :
"/elasticsearch/aaaaaaaaaaaa/_mapping/field/*?_=1497349849968&ignore_unavailable=false&allow_no_indices=false&include_defaults=true",
          "method" : "GET",
          "timestamp" : "13/Jun/2017:16:00:49 +0530",
          "auth" : "kibanaadmin",
          "ident" : "-",
          "remote_addr" : "127.0.0.1",
          "event.tags" : [
            "http"
          ]
        }


The timestamp format is causing this problem I think. Can you suggest
something ?



--
View this message in context: 
http://rsyslog-users.1305293.n2.nabble.com/liblognorm-rule-for-nginx-logs-tp7592454p7592461.html
Sent from the rsyslog-users mailing list archive at Nabble.com.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to