Ingest custom nginx log format

tback · February 26, 2019, 12:34pm

I'm using filebeat, my setup is pretty plain: I index nginx log files. Now I wan't to log just one more field ($http_host). Let's say I prefix every line with that:

access_log /var/log/nginx/access.log main

becomes

log_format host_main  '$http_host $remote_addr - $remote_user [$time_local] "$request" '
                   '$status $body_bytes_sent "$http_referer" '
                   '"$http_user_agent" "$http_x_forwarded_for"';
...
access_log /var/log/nginx/access.log host_main;

I'd assume that I can configure nginx module to interprete log lines using a different pattern. I cannot find anything in the filebeat configuration hinting to that.
How do I add the host_name to my log entries?

kvch · February 27, 2019, 8:59am

Unfortunately, the nginx module of Filebeat does not support by default to add more patterns.
But to work around the issue you could install your own nginx pipeline on Elasticsearch.
The pipeline which is loaded to ES is located under module/nginx/acces/ingest/default.json. You could add one more pattern to the first grok processor of the pipeline to parse your messages correctly. After you add the extra pattern, you need to upload the pipeline to ES again using /filebeat setup --pipelines -modules=nginx.
Let me know if you need further help with that.

Topic		Replies	Views
Filebeat Nginx Module - Nginx log has a non default format Beats filebeat	3	1174	December 1, 2017
NGINX - restructure logging to match nginx module Beats filebeat	2	442	August 6, 2020
How to parse filebeat access log with vhost? Beats filebeat	4	1197	June 26, 2018
Filebeat nginx include custom log field Beats filebeat	3	974	November 29, 2019
How to wirte pipiline.yaml file for filebeat nginx module for access log? Beats filebeat	1	331	June 3, 2020

Ingest custom nginx log format

Related topics