How I can read this nginx format with logstash?

I can't get my NGINX logs to be parsable by logstash.

NGINX config:

log_format main '"$http_x_forwarded_for - $remote_user [$time_local]" "$host" "$request" "$status" "$bytes_sent" "$http_referer" "$http_user_agent" "$cookie_client_id" "$request_time"';

Example log line:

"194.76.219.19 - - [17/Apr/2018:09:58:39 +0200]" "www.example.com" "GET /?ping HTTP/1.1" "200" "62786" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "3294aeff1d3031a4c880ac7497688473" "0.409"

Currently I'm getting messages like:

Provided Grok expressions do not match field value: ["194.76.219.19 - - [17/Apr/2018:09:58:39 +0200]" "www.example.com" "GET /?ping HTTP/1.1" "200" "62786" "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "3294aeff1d3031a4c880ac7497688473" "0.409"]

I would use dissect rather than grok, but what grok pattern are you trying to use?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.