I have a problem in the production process
Version es 651 filebeat 651
Modify the nginx template to extract the cookies from the nginx log
"grok": {
"field": "message",
"patterns":[
""?%{IPV4:nginx.access.remote_ip_list} - %{DATA:nginx.access.user_name} \[%{HTTPDATE:nginx.access.time}\] "%{GREEDYDATA:nginx.access .info}" %{NUMBER:nginx.access.response_code} %{NUMBER:nginx.access.body_sent.bytes} "%{DATA:nginx.access.referrer}" "%{DATA:nginx.access .agent}" "%{DATA:nginx.access.cookie}" "%{DATA:nginx.access.request_body}""
Then extract the email address in the cookie field
"grok": {
"field": "nginx.access.cookie",
"patterns": [
"email=%{EMAILADDRESS:nginx.access.client}",
""
],
"ignore_missing": true
But found that when the cookie field format is as follows
Email=cloris@ucan.com; token=ecc47f17abc040928c3c89c1f31a73a4; lang=en-US
No problem, but if the email field is in the middle, no information can be extracted.
Such as:
Token=ecc47f17abc040928c3c89c1f31a73a4; email=cloris@ucan.com; lang=en-US
Ask for advice