Structured logging example configurations

filebeat.yml

# Apache httpd
- input_type: log
  paths:
    - /var/log/httpd/access_log.js
  document_type: apache
  json.keys_under_root: true
  json.add_error_key: true

# Squid
- input_type: log
  paths:
    - /var/log/squid/access_log.js
  document_type: squid
  json.keys_under_root: true
  json.add_error_key: true

httpd.conf

LogFormat "{ \"clientip\": \"%h\", \"ident\": \"%l\", \"auth\": \"%u\", \"timestamp\": \"%{%FT%T%z}t\", \"verb\": \"%m\", \"request\": \"%U%q\", \"httpversion\": \"%H\", \"response\": %>s, \"bytes\": %b, \"referer\": \"%{Referer}i\", \"agent\": \"%{User-agent}i\" }" combinedjson
CustomLog logs/access_log.js combinedjson

squid.conf

logformat combinedjson { "clientip": "%>a", "ident": "%ui", "uname": "%un", "timestamp": "%{%FT%T%z}tg", "verb": "%rm", "request": "%ru", "httpversion": "HTTP/%rv", "response": %>Hs, "bytes": %<st, "referer": "%{Referer}>h", "agent": "%{User-Agent}>h", "request_status": "%Sh", "hierarchy_status": "%Sh" }
access_log /var/log/squid/access_log.js combinedjson

I think there is a small mistake in squid.conf line 1, for the combinedjson the %Sh is used twice.

, "request_status": "%Sh", "hierarchy_status": "%Sh"
should be
, "request_status": "%Ss", "hierarchy_status": "%Sh"