Nginx log filter problem

wby · April 7, 2016, 9:13pm

Logstash 2.1.3 on CentOS 7.

I'm sending logs to ELK in syslog format (for now, though will switch to JSON at some point) from rsyslog. I'm ingesting some nginx access logs in NCSA combined format.

I do still see the log in Kibana, in this example, syslog_message is set to:

10.0.0.1 - - [07/Apr/2016:14:08:48 +0000] "GET 
/foo/bar?access_token=XYZNYD&client=6
 HTTP/1.1" 200 1574 "-" "-"

and syslog_program is nginx-access.

I tested my rule against %{COMBINEDAPACHELOG} at http://grokconstructor.appspot.com/do/match#result (using the value of syslog_message from what I see in Kibana). However, the log doesn't show up with the additional fields, making me think it's not getting parsed correctly.

# cat 05_filter.conf 
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "(?m)<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

# cat 12_nginx_filter.conf filter {
  if [syslog_program] == "nginx-access" {
    grok {
      match => { "syslog_message" => "%{COMBINEDAPACHELOG}" }
      remove_tag => ["_grokparsefailure"]
      add_tag => ["nginx_access"]
    }
    geoip {
      source => "clientip"
    }
  }
}
# cat 99_output.conf 
output {
  # See http://kartar.net/2014/09/when-logstash-and-syslog-go-wrong/
  # but basically, give us a way to easily find / analyze messages we
  # aren't parsing.
  if [type] == "syslog" and "_grokparsefailure" in [tags] {
    file { path => "/var/log/logstash/failed_syslog_events" }
  }
  elasticsearch {
    hosts => ["XXXX:9200"]
    sniffing => true
  }
}

Separately, if I use syntax closer to the example here:
https://miteshshah.github.io/linux/elk/how-to-monitor-nginx-logs-on-elk-stack/, when an access log (vs. an error log) comes in, the first grok seems to match, but then the second results in a _grokparsefailure; that's why I changed the conditionals a bit.

magnusbaeck · April 8, 2016, 6:06am

Please add a stdout { codec => rubydebug } output and show its output when Logstash has processed an nginx message.

wby · April 11, 2016, 6:10pm

Sorry for the delay. Here's what I see in the logstash log from that. Doing a search today, I am finding the results, so maybe this is due to needing to wait a day for the indices to switch over? I don't believe that should be necessary, but have seen this happen before (I did go into the Kibana menu to refresh the new fields the other day).

With some details munged...

{ "message" => "<189>Apr 11 17:56:45 xxxxxxxxx nginx-access: 192.168.1.1 - - [11/Apr/2016:17:56:40 +0000] \"GET /my/request HTTP/1.1\" 200 26253 \"http://www.example.com/foo\" \"Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG-SGH-I337 Build/LRX22C; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/48.0.2564.106 Mobile Safari/537.36\"", "@version" => "1", "@timestamp" => "2016-04-12T00:56:45.000Z", "type" => "syslog", "host" => "10.0.0.1", "syslog_pri" => "189", "syslog_timestamp" => "Apr 11 17:56:45", "syslog_hostname" => "xxxxxxxxx", "syslog_program" => "nginx-access", "syslog_message" => "192.168.1.1 - - [11/Apr/2016:17:56:40 +0000] \"GET /my/request HTTP/1.1\" 200 26253 \"http://www.example.com/foo\" \"Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG-SGH-I337 Build/LRX22C; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/48.0.2564.106 Mobile Safari/537.36\"", "received_at" => "2016-04-11T17:56:45.453Z", "received_from" => "10.0.0.1", "syslog_severity_code" => 5, "syslog_facility_code" => 23, "syslog_facility" => "local7", "syslog_severity" => "notice", "clientip" => "192.168.1.1", "ident" => "-", "auth" => "-", "timestamp" => "11/Apr/2016:17:56:40 +0000", "verb" => "GET", "request" => "/my/request", "httpversion" => "1.1", "response" => "200", "bytes" => "26253", "referrer" => "\"http://www.example.com/foo\"", "agent" => "\"Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG-SGH-I337 Build/LRX22C; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/48.0.2564.106 Mobile Safari/537.36\"", "tags" => [ [0] "nginx_access" ], "geoip" => { "ip" => "192.168.1.1", "country_code2" => "US", "country_code3" => "USA", "country_name" => "United States", "continent_code" => "NA", "latitude" => XX.0, "longitude" => -YY.0, "dma_code" => 0, "area_code" => 0, "location" => [ [0] -YY.0, [1] XX.0 ] } }

magnusbaeck · April 11, 2016, 6:12pm

Looks good. Once you're confident that things work you'll probably want to delete the message and syslog_message fields.