Make Elasticsearch understand date/time field Nginx/apache logs

spacecabbie · January 14, 2020, 9:33am

I am sending my logs from apache and nginx to elasticsearch via rsyslog.

Parsing to json:

version=2
rule=:%remote_addr:word% %ident:word% %auth:word% [%@timestamp:char-to:]%] "%method:word% %request:word% HTTP/%httpversion:float%" %status:number% %requesttime:float% "%referrer:char-to:"%" "%agent:char-to:"%"

.

template(name="apache-nginx" type="list"){
  property(name="$!all-json")
}

The problem is nginx logs like: [14/Jan/2020:08:48:23 +0100] so when send to elastic search it does not recognise it as date/time

Any tips tricks to fix it ? (no filebeats.) Has to be done with rsyslog/elasticsearch.

spinscale · January 14, 2020, 4:44pm

You can use an ingest pipeline so parse this as a proper date. Check out the ingest node in general, and the grok processor specifically, which also has predefined patterns for apache logs, that you might be able to reuse.

--Alex

spacecabbie · January 19, 2020, 2:57pm

Ty ! love the flexibilityof the system but i'll have to study it more thanks for pointing me into correct direction.

For now i made all json template to import everything from rsyslog downside is can't use the premade dashboard oh wel all in time.

Topic		Replies	Views
Log time doesnot match the @timestamp Elasticsearch	5	1916	November 9, 2018
How to parse DateTime from Logstash to Elasticsearch? Elasticsearch	1	607	July 5, 2017
Having troubles parsing dates Elasticsearch	4	1034	July 6, 2017
"reason"=>"failed to parse field [Time] of type [date] in document with id 'xxxxxxxxxxxxxxx' Logstash	3	14884	April 19, 2021
Elasticsearch Date Processor not parsing properly Elasticsearch	4	492	November 20, 2019

Make Elasticsearch understand date/time field Nginx/apache logs

Related topics