identw · September 24, 2025 12:47
diff --git a/custom_parsers.conf b/custom_parsers.conf
 [PARSER]
    Name docker_no_time
    Format json
    Time_Keep Off
    Time_Key time
    Time_Format %Y-%m-%dT%H:%M:%S.%L

 [PARSER]
    Name json_nginx
    Format json
    Time_Key timestamp
    Time_Format %Y-%m-%d %H:%M:%S.%L %z

 [PARSER]
    Name nginx_error
    Format regex
    Regex ^[0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2} \[(?<error_level>[a-z]+)\] [0-9]{1,10}#[0-9]{1,10}: (\*[0-9]+ )?(.*?)(?=,)(, client: )(?<IP>[^,]+)?(, server: (?<VHOST>[^,]+))?.*$

 [PARSER]
    # http://rubular.com/r/tjUt3Awgg4
    Name custom_cri
    Format regex
    Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<_p>P|F) (?<log>.*)$
    Time_Key    time
    Time_Format %Y-%m-%dT%H:%M:%S.%L%z
    Time_Keep   On
    Decode_Field_As    json    log

 [PARSER]
    Name custom_cri_php
    Format regex
    Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<_p>P|F) \[[^\]]+\] WARNING: \[pool www\] child [0-9]{1,9} said into stderr: \"(NOTICE: )?(?<log>.*)\"$
    Time_Key    time
    Time_Format %Y-%m-%dT%H:%M:%S.%L%z
    Time_Keep   On

 [PARSER]
    Name custom_cri_php_slow_log
    Format regex
    Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<_p>P|F)(?<log>.*)$
    Time_Key    time
    Time_Format %Y-%m-%dT%H:%M:%S.%L%z
    Time_Keep   On

 [MULTILINE_PARSER]
    Name          multiline_nodejs_exception
    Type          regex
    flush_timeout 1000
    parser        custom_cri
    key_content   log

    rule  "start_state" "/^.*Error:.+$/" "cont"
    rule  "cont"        "/^\s+.+$/" "cont"

 [MULTILINE_PARSER]
    Name          multiline_json
    Type          regex
    flush_timeout 1000
    parser        custom_cri
    key_content   log

    rule  "start_state" "/^{\s*$/" "cont"
    rule  "cont"        "/^(\s+.*|\})$/" "cont"


 [MULTILINE_PARSER]
    Name          multiline_php_slowlog
    Type          regex
    flush_timeout 1000
    parser        custom_cri_php_slow_log
    key_content   log

    rule  "start_state" "/^ \[[^\]]+\] WARNING: \[pool www\] child [0-9]{1,9}, script .+executing too slow.+$/" "cont"
    rule  "cont"        "/^ (\[[^\]]+\] NOTICE: child [0-9]{1,9} stopped for tracing|\[[^\]]+\] NOTICE: about to trace [0-9]{1,9}|\[[^\]]+\]  \[pool www\] pid [0-9]{1,9}|script_filename =.+|\[0x[0-9a-f]{16}\].+|\[[^\]]+\] NOTICE: finished trace of [0-9]{1,9}|[^ ]+ (stdout|stderr) (P|F)\s*|)$/" "cont"

 [MULTILINE_PARSER]
    Name           multiline_php_error
    Type           regex
    flush_timeout  1000
    parser         custom_cri_php
    key_content    log
    
    rule  "start_state" "/^PHP message.+$/" "cont"
    rule  "cont"        "/^(Stack|#[0-9]{1,2}|  thrown).*/" "cont"

 [MULTILINE_PARSER]
    Name          multiline_with_indent
    Type          regex
    flush_timeout 1000
    parser        custom_cri
    key_content   log

    rule  "start_state" "/^[a-zA-Z0-9].+$/" "cont"
    rule  "cont"        "/^\s+.+$/" "cont"
	[PARSER]
	Name docker_no_time
	Format json
	Time_Keep Off
	Time_Key time
	Time_Format %Y-%m-%dT%H:%M:%S.%L

	[PARSER]
	Name json_nginx
	Format json
	Time_Key timestamp
	Time_Format %Y-%m-%d %H:%M:%S.%L %z

	[PARSER]
	Name nginx_error
	Format regex
	Regex ^[0-9]{4}/[0-9]{2}/[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2} \[(?<error_level>[a-z]+)\] [0-9]{1,10}#[0-9]{1,10}: (\[0-9]+ )?(.?)(?=,)(, client: )(?<IP>[^,]+)?(, server: (?<VHOST>[^,]+))?.*$

	[PARSER]
	# http://rubular.com/r/tjUt3Awgg4
	Name custom_cri
	Format regex
	Regex ^(?<time>[^ ]+) (?<stream>stdout\|stderr) (?<_p>P\|F) (?<log>.*)$
	Time_Key time
	Time_Format %Y-%m-%dT%H:%M:%S.%L%z
	Time_Keep On
	Decode_Field_As json log

	[PARSER]
	Name custom_cri_php
	Format regex
	Regex ^(?<time>[^ ]+) (?<stream>stdout\|stderr) (?<_p>P\|F) \[[^\]]+\] WARNING: \[pool www\] child [0-9]{1,9} said into stderr: \"(NOTICE: )?(?<log>.*)\"$
	Time_Key time
	Time_Format %Y-%m-%dT%H:%M:%S.%L%z
	Time_Keep On

	[PARSER]
	Name custom_cri_php_slow_log
	Format regex
	Regex ^(?<time>[^ ]+) (?<stream>stdout\|stderr) (?<_p>P\|F)(?<log>.*)$
	Time_Key time
	Time_Format %Y-%m-%dT%H:%M:%S.%L%z
	Time_Keep On

	[MULTILINE_PARSER]
	Name multiline_nodejs_exception
	Type regex
	flush_timeout 1000
	parser custom_cri
	key_content log

	rule "start_state" "/^.*Error:.+$/" "cont"
	rule "cont" "/^\s+.+$/" "cont"

	[MULTILINE_PARSER]
	Name multiline_json
	Type regex
	flush_timeout 1000
	parser custom_cri
	key_content log

	rule "start_state" "/^{\s*$/" "cont"
	rule "cont" "/^(\s+.*\|\})$/" "cont"


	[MULTILINE_PARSER]
	Name multiline_php_slowlog
	Type regex
	flush_timeout 1000
	parser custom_cri_php_slow_log
	key_content log

	rule "start_state" "/^ \[[^\]]+\] WARNING: \[pool www\] child [0-9]{1,9}, script .+executing too slow.+$/" "cont"
	rule "cont" "/^ (\[[^\]]+\] NOTICE: child [0-9]{1,9} stopped for tracing\|\[[^\]]+\] NOTICE: about to trace [0-9]{1,9}\|\[[^\]]+\] \[pool www\] pid [0-9]{1,9}\|script_filename =.+\|\[0x[0-9a-f]{16}\].+\|\[[^\]]+\] NOTICE: finished trace of [0-9]{1,9}\|[^ ]+ (stdout\|stderr) (P\|F)\s*\|)$/" "cont"

	[MULTILINE_PARSER]
	Name multiline_php_error
	Type regex
	flush_timeout 1000
	parser custom_cri_php
	key_content log

	rule "start_state" "/^PHP message.+$/" "cont"
	rule "cont" "/^(Stack\|#[0-9]{1,2}\| thrown).*/" "cont"

	[MULTILINE_PARSER]
	Name multiline_with_indent
	Type regex
	flush_timeout 1000
	parser custom_cri
	key_content log

	rule "start_state" "/^[a-zA-Z0-9].+$/" "cont"
	rule "cont" "/^\s+.+$/" "cont"