Skip to content

Instantly share code, notes, and snippets.

@mariotacke
Created March 7, 2017 04:36
Show Gist options
  • Save mariotacke/88053be5be5ef87b7544ece220f41af4 to your computer and use it in GitHub Desktop.
Save mariotacke/88053be5be5ef87b7544ece220f41af4 to your computer and use it in GitHub Desktop.
Default nginx log format (combined) and grok pattern
log_format combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
NGINX_ACCESS %{IPORHOST:remote_addr} - %{USERNAME:remote_user} \[%{HTTPDATE:time_local}\] \"%{DATA:request}\" %{INT:status} %{NUMBER:bytes_sent} \"%{DATA:http_referer}\" \"%{DATA:http_user_agent}\"
input {
file {
type => "nginx"
start_position => "beginning"
path => [ "/var/log/nginx/*.log" ]
}
}
filter {
if [type] == "nginx" {
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{NGINX_ACCESS}" }
remove_tag => [ "_grokparsefailure" ]
add_tag => [ "nginx_access" ]
}
geoip {
source => "remote_addr"
}
}
}
output {
redis {
host => "<your redis host>"
data_type => "list"
key => "logstash"
codec => json
}
}
@tobiasvl
Copy link

tobiasvl commented Sep 27, 2017

Does this pattern do anything that the included COMBINEDAPACHELOG pattern doesn't do, except make sure that USER is -?

@alonwillmakeit
Copy link

Why remove the _grokparsefailure? doesn't it mean that there's a problem in the grok pattern that should be attended to ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment