Filebeat nginx access logs not loading with required fields in kibana dashboard

Elastic Stack Beats
1

filebeat nginx access logs not loading with required fields in kibana dashboard

i am using below logstash filter for to get access logs fields but i am not able get required fields ( access.message and other fields)
################################

filter {
if [fileset][module] == "nginx" {
if [fileset][name] == "access" {
grok {
match => { "message" => ["%{HTTPDATE:[nginx][access][time]} [%{GREEDYDATA:[nginx][access][message]}] %{NUMBER:[nginx][access][pid]}#%{NUMBER:[nginx][access][tid]}: (*%{NUMBER:[nginx][access][connection_id]} )?%{GREEDYDATA:[nginx][access][message]}"] }
remove_field => "message"
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[nginx][access][time]"
}
useragent {
source => "[nginx][access][agent]"
target => "[nginx][access][user_agent]"
remove_field => "[nginx][access][agent]"
}
geoip {
source => "[nginx][access][remote_ip]"
target => "[nginx][access][geoip]"
}
}
else if [fileset][name] == "error" {
grok {
match => { "message" => ["%{DATA:[nginx][error][time]} [%{DATA:[nginx][error][level]}] %{NUMBER:[nginx][error][pid]}#%{NUMBER:[nginx][error][tid]}: (*%{NUMBER:[nginx][error][connection_id]} )?%{GREEDYDATA:[nginx][error][message]}"] }
remove_field => "message"
}
mutate {
rename => { "@timestamp" => "read_timestamp" }
}
date {
match => [ "[nginx][error][time]", "YYYY/MM/dd H:m:s" ]
remove_field => "[nginx][error][time]"
}
}
}
}
#########################

image
image1360×617 55.8 KB

2

Any reason you are not using Filebeat's nginx module and sending the data directly from Filebeat to Elasticsearch instead?

3

i am using filebeat local and sending nginx logs to filebeat --> logstassh --> elasticsearch
##############################
filebeat.yml

#----------------------------- Logstash output --------------------------------
output.logstash:

The Logstash hosts

hosts: ["localhost:5044"]

########################

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.