How to parse nginx log using filebeat

prashantgcloud · June 18, 2019, 1:42pm

I have setup Elasticsearch and kibana using AWS Elastic search service so can't install below plugin :

bin/elasticsearch-plugin install ingest-geoip
bin/elasticsearch-plugin install ingest-user-agent

I have installed filebeat on EC2 instance using ebextension and it is successfully able to push logs to Elastic search and I'm able to see it on kibana.

Config:

input_type: log
paths:
- /var/log/nginx/*.log
json.message_key: event
json.keys_under_root: true
json.overwrite_keys: true

message:
xx.xx.xx.xxx - wI485uVG79N7CrcjHx1 [18/Jun/2019:13:17:34 +0000] "POST /v1/cryptoServices/encrypt HTTP/1.1" 200 172 "-" "PostmanRuntime/7.6.0" "644" "0.030" "0.030" "." "prashant" "-" "-" "NO_ID" "xx.xx.xx.xxx" "-"

However, I want to parse the message with different fields like we can do with nginx module. Is there any other way to achieve this. I don't to setup Logstash on a different server to parse it using grok parser.

Can we achieve it using filebeat on EC2 instance and AWS Elastic search service?

Mario_Castro · June 19, 2019, 11:53am

Hi @prashantgcloud

I'm afraid that we don't have knowledge about how the open distro works but in Elasticsearch you can setup an Ingest node with a Grok pattern if you don't use the default formats of Nginx to use the Filebeat Nginx module. This way you can omit using Logstash.

I hope this helps.

prashantgcloud · June 25, 2019, 6:29am

I can use filebeat nginx module, but then I can't install below plugin on Elastic search instance as I have set it up using AWS Elasticsearch service.

bin/elasticsearch-plugin install ingest-geoip
bin/elasticsearch-plugin install ingest-user-agent..

My question is how can I send parsed nginx log instead of sending it in a single message:

Current logs:
message: xx.xx.xx.xxx - wI485uVG79N7CrcjHx1 [18/Jun/2019:13:17:34 +0000] "POST /v1/cryptoServices/encrypt HTTP/1.1" 200 172 "-" "PostmanRuntime/7.6.0" "644" "0.030" "0.030" "." "prashant" "-" "-" "NO_ID" "xx.xx.xx.xxx" "-"

Expected logs:
nginx.access.reponse_code
nginx.access.user_agent and so on

So I can create better dashboard.

system · July 23, 2019, 6:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ingest custom nginx log format Beats filebeat	2	4975	March 27, 2019
Help parsing custom nginx logs using Filebeat and Ingest Pipelines Elasticsearch	18	2380	January 26, 2024
How to filter specific fields of nginx logs in filebeat before importing in elastic? Beats filebeat	5	299	February 21, 2024
Filebeat not ingesting json based log files to elastic search Beats filebeat	2	549	October 28, 2022
Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch Beats filebeat	3	430	March 31, 2024

How to parse nginx log using filebeat

Related Topics