Make Elasticsearch understand date/time field Nginx/apache logs

I am sending my logs from apache and nginx to elasticsearch via rsyslog.

Parsing to json:

rule=:%remote_addr:word% %ident:word% %auth:word% [%@timestamp:char-to:]%] "%method:word% %request:word% HTTP/%httpversion:float%" %status:number% %requesttime:float% "%referrer:char-to:"%" "%agent:char-to:"%"


template(name="apache-nginx" type="list"){

The problem is nginx logs like: [14/Jan/2020:08:48:23 +0100] so when send to elastic search it does not recognise it as date/time

Any tips tricks to fix it ? (no filebeats.) Has to be done with rsyslog/elasticsearch.

You can use an ingest pipeline so parse this as a proper date. Check out the ingest node in general, and the grok processor specifically, which also has predefined patterns for apache logs, that you might be able to reuse.


Ty ! love the flexibilityof the system but i'll have to study it more thanks for pointing me into correct direction.

For now i made all json template to import everything from rsyslog downside is can't use the premade dashboard oh wel all in time.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.