having trouble with parsing nginx logs.
I am using nginx and running filebeat to push nginx logs directly to elasticsearch
This are nginx caching servers that has following log format
nginx log format
log_format cache_st '$remote_addr - $upstream_cache_status [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
Error message that we see in ES index:
Provided Grok expressions do not match field value: [000.000.000.000 - - [28/Sep/2022:07:58:47 -0700] "GET /tt HTTP/1.1" 404 193 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"]
Provided Grok expressions do not match field value: [000.000.000.000 - - [28/Sep/2022:07:57:20 -0700] "GET /favicon.ico HTTP/1.1" 404 193 "https://refer-url.domainname.net/tt\" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"]
Here is some log entries:
000.000.000.000 - - [28/Sep/2022:07:57:20 -0700] "GET /tt HTTP/1.1" 404 193 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
000.000.000.000 - - [28/Sep/2022:07:57:20 -0700] "GET /favicon.ico HTTP/1.1" 404 193 "https://refer-url.domainname.net/tt" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
000.000.000.000 - MISS [28/Sep/2022:08:10:37 -0700] "GET /content/000/6/imagename_320x50.jpg HTTP/1.1" 200 20014 "-" "Mozilla/5.0 (Linux; Android 12; SM-N986U Build/SP1A.210812.016; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/105.0.5195.79 Mobile Safari/537.36"
000.000.000.000 - HIT [28/Sep/2022:08:10:37 -0700] "GET /content/000/6/imagename_320x50.jpg HTTP/1.1" 200 20014 "-" "Mozilla/5.0 (Linux; Android 12; SM-N986U Build/SP1A.210812.016; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/105.0.5195.79 Mobile Safari/537.36"
I will appreciate any help!