njpatel · April 5, 2023 14:01
diff --git a/nginx.toml b/nginx.toml
 # you may want to skip access, you will gets tons of logs 
 [sources.nginx_access_logs]
  type         = "file"
  include      = ["/var/log/sites/*/*/*/*/nginx/access.log"]    # supports globbing
  ignore_older = 86400                         # 1 day

 # product json logs
 [transforms.nginx_access_logs_json]
  type         = "json_parser"
  inputs       = ["nginx_access_logs"]

 # Add type of log
 [transforms.nginx_access_logs_fields]
  type         = "add_fields"
  inputs       = ["nginx_access_logs_json"]
  overwrite    = false
  fields.type  = "nginx_access"

 [sources.nginx_error_logs]
  type         = "file"
  include      = ["/var/log/sites/*/*/*/*/nginx/error.log"]    # supports globbing
  ignore_older = 86400

 # nginx does not supports json logs for error, so force
 [transforms.nginx_error_logs_parsed]
  type         = "grok_parser"
  inputs       = ["nginx_error_logs"]
  pattern      = '(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:level}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{GREEDYDATA:message}, client: %{IP:client}, server: %{GREEDYDATA:server}, request: "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion}))"(, upstream: "%{GREEDYDATA:upstream}")?, host: "%{DATA:host}"(, referrer: "%{GREEDYDATA:referrer}")?'
  types.timestamp = "timestamp|%s" # timestamp conversion

 # add type again
 [transforms.nginx_error_logs_fields]
  type         = "add_fields"
  inputs       = ["nginx_error_logs_parsed"]
  overwrite    = false
  fields.type  = "nginx_error"

 [sinks.axiom]
  type = "axiom"
  inputs = ["nginx_logs"]
  token = "xaat-1234"
  dataset = "vector-dev"
  request.timeout_secs = 1000
	# you may want to skip access, you will gets tons of logs
	[sources.nginx_access_logs]
	type = "file"
	include = ["/var/log/sites/////nginx/access.log"] # supports globbing
	ignore_older = 86400 # 1 day

	# product json logs
	[transforms.nginx_access_logs_json]
	type = "json_parser"
	inputs = ["nginx_access_logs"]

	# Add type of log
	[transforms.nginx_access_logs_fields]
	type = "add_fields"
	inputs = ["nginx_access_logs_json"]
	overwrite = false
	fields.type = "nginx_access"

	[sources.nginx_error_logs]
	type = "file"
	include = ["/var/log/sites/////nginx/error.log"] # supports globbing
	ignore_older = 86400

	# nginx does not supports json logs for error, so force
	[transforms.nginx_error_logs_parsed]
	type = "grok_parser"
	inputs = ["nginx_error_logs"]
	pattern = '(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:level}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{GREEDYDATA:message}, client: %{IP:client}, server: %{GREEDYDATA:server}, request: "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion}))"(, upstream: "%{GREEDYDATA:upstream}")?, host: "%{DATA:host}"(, referrer: "%{GREEDYDATA:referrer}")?'
	types.timestamp = "timestamp\|%s" # timestamp conversion

	# add type again
	[transforms.nginx_error_logs_fields]
	type = "add_fields"
	inputs = ["nginx_error_logs_parsed"]
	overwrite = false
	fields.type = "nginx_error"

	[sinks.axiom]
	type = "axiom"
	inputs = ["nginx_logs"]
	token = "xaat-1234"
	dataset = "vector-dev"
	request.timeout_secs = 1000