Logstash not parsing default nginx logs

Kushal_Das · September 12, 2019, 6:29pm

Hi,

I am using the latest 7.x series of the stack. The filter pattern is the same for the default nginx. But, I can not find any of the nginx.* fields, and instead can see the message inside of the _source field.

Any tips will be helpful.

Here is the pattern I am using:

filter {
  if [fileset][module] == "nginx" {
    if [fileset][name] == "access" {
      grok {
        match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}\" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA:[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\""] }
        remove_field => "message"
      }
      mutate {
        add_field => { "read_timestamp" => "%{@timestamp}" }
      }
      date {
        match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
        remove_field => "[nginx][access][time]"
      }
      useragent {
        source => "[nginx][access][agent]"
        target => "[nginx][access][user_agent]"
        remove_field => "[nginx][access][agent]"
      }
      geoip {
        source => "[nginx][access][remote_ip]"
        target => "[nginx][access][geoip]"
      }
    }
    else if [fileset][name] == "error" {
      grok {
        match => { "message" => ["%{DATA:[nginx][error][time]} \[%{DATA:[nginx][error][level]}\] %{NUMBER:[nginx][error][pid]}#%{NUMBER:[nginx][error][tid]}: (\*%{NUMBER:[nginx][error][connection_id]} )?%{GREEDYDATA:[nginx][error][message]}"] }
        remove_field => "message"
      }
      mutate {
        rename => { "@timestamp" => "read_timestamp" }
      }
      date {
        match => [ "[nginx][error][time]", "YYYY/MM/dd H:m:s" ]
        remove_field => "[nginx][error][time]"
      }
    }
  }
}

stephenb · September 13, 2019, 1:59am

Perhaps you might want look at the file beat module for nginx and either send directly to elasticsearch or just use logstash as the pass through. You will get elastic common schems parsing and automatic dashboard and visualization creation.

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-nginx.html

Just a thought..

system · October 11, 2019, 2:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem grok pattern Logstash	6	1269	May 12, 2017
Logstash grokparsefailure Logstash	4	385	November 11, 2020
Logstash parse log nginx not index refresh Logstash	1	415	September 17, 2019
Can someone please help me with nginx logstash filter Logstash	11	3257	September 30, 2017
Can't get any log from one special filter Logstash	5	912	July 6, 2017

Logstash not parsing default nginx logs

Related topics