Ingest custom nginx log format

tback · February 26, 2019, 12:34pm

I'm using filebeat, my setup is pretty plain: I index nginx log files. Now I wan't to log just one more field ($http_host). Let's say I prefix every line with that:

access_log /var/log/nginx/access.log main

becomes

log_format host_main  '$http_host $remote_addr - $remote_user [$time_local] "$request" '
                   '$status $body_bytes_sent "$http_referer" '
                   '"$http_user_agent" "$http_x_forwarded_for"';
...
access_log /var/log/nginx/access.log host_main;

I'd assume that I can configure nginx module to interprete log lines using a different pattern. I cannot find anything in the filebeat configuration hinting to that.
How do I add the host_name to my log entries?

kvch · February 27, 2019, 8:59am

Unfortunately, the nginx module of Filebeat does not support by default to add more patterns.
But to work around the issue you could install your own nginx pipeline on Elasticsearch.
The pipeline which is loaded to ES is located under module/nginx/acces/ingest/default.json. You could add one more pattern to the first grok processor of the pipeline to parse your messages correctly. After you add the extra pattern, you need to upload the pipeline to ES again using /filebeat setup --pipelines -modules=nginx.
Let me know if you need further help with that.

system · March 27, 2019, 8:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat Nginx Module - Nginx log has a non default format Beats filebeat	3	1127	December 1, 2017
Help parsing custom nginx logs using Filebeat and Ingest Pipelines Elasticsearch	18	2481	January 26, 2024
Filebeat, Ingest and ES index name pattern Beats filebeat	2	377	June 13, 2018
How to parse nginx log using filebeat Beats filebeat	3	2198	July 23, 2019
Filebeat & NGINX Logs Beats filebeat	4	601	April 21, 2018

Ingest custom nginx log format

Related topics