Shellbye/nginx_grok.conf

## nginx_grok.conf

# https://logz.io/blog/nginx-access-log-monitoring-dashboard/
input {
    file {
        type => nginx_web
        path => "/var/log/nginx/*"
        exclude => "*.gz"
    }
}

filter {
    grok {
        match => [ "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}"]
        overwrite => [ "message" ]
    }

    mutate {
        convert => ["response", "integer"]
        convert => ["bytes", "integer"]
        convert => ["responsetime", "float"]
    }

    geoip {
        source => "clientip"
        target => "geoip"
        add_tag => [ "nginx-geoip" ]
    }

    date {
        match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
        remove_field => [ "timestamp" ]
    }

    useragent {
        source => "agent"
    }
}

output {
    elasticsearch {
        hosts => [ "localhost:9200" ]
    }
}


## uwsgi_grok.conf
input {
    file {
        type => uwsgi
        path => ["/path/to/uwsgi.log"]
    }
}

filter {
    grok {
        match => { "message" => "\[pid: %{NUMBER:pid}\|app: %{NUMBER:id}\|req: %{NUMBER:currentReq}/%{NUMBER:totalReq}\] %{IP:remoteAddr} \(%{WORD:remoteUser}?\) \{%{NUMBER:CGIVar} vars in %{NUMBER:CGISize} bytes\} \[%{DATA:timestamp}\] %{WORD:method} %{URIPATHPARAM:uri} \=\> generated %{NUMBER:resSize} bytes in %{NUMBER:resTime} msecs \(HTTP/%{NUMBER:httpVer} %{NUMBER:status}\) %{NUMBER:headers} headers in %{NUMBER:headersSize} bytes %{GREEDYDATA:coreInfo}" }
    }

    mutate {
        convert => ["status", "integer"]
        convert => ["resSize", "integer"]
        convert => ["resTime", "float"]
    }

    geoip {
        source => "remoteAddr"
        target => "geoip"
        add_tag => [ "uwsgi-geoip" ]
    }

    date {
        match => [ "timestamp", "EEE MMM d HH:mm:ss y", "EEE MMM  d HH:mm:ss y" ]
        remove_field => [ "timestamp" ]
    }

    if "_grokparsefailure" in [tags] {
        drop {}
    }

}

output {
    elasticsearch {
        hosts => [ "localhost:9200" ]
        index => "uwsgi-%{+YYYY.MM.dd}"
    }
}

	# https://logz.io/blog/nginx-access-log-monitoring-dashboard/
	input {
	file {
	type => nginx_web
	path => "/var/log/nginx/*"
	exclude => "*.gz"
	}
	}

	filter {
	grok {
	match => [ "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}"]
	overwrite => [ "message" ]
	}

	mutate {
	convert => ["response", "integer"]
	convert => ["bytes", "integer"]
	convert => ["responsetime", "float"]
	}

	geoip {
	source => "clientip"
	target => "geoip"
	add_tag => [ "nginx-geoip" ]
	}

	date {
	match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
	remove_field => [ "timestamp" ]
	}

	useragent {
	source => "agent"
	}
	}

	output {
	elasticsearch {
	hosts => [ "localhost:9200" ]
	}
	}
	input {
	file {
	type => uwsgi
	path => ["/path/to/uwsgi.log"]
	}
	}

	filter {
	grok {
	match => { "message" => "\[pid: %{NUMBER:pid}\\|app: %{NUMBER:id}\\|req: %{NUMBER:currentReq}/%{NUMBER:totalReq}\] %{IP:remoteAddr} \(%{WORD:remoteUser}?\) \{%{NUMBER:CGIVar} vars in %{NUMBER:CGISize} bytes\} \[%{DATA:timestamp}\] %{WORD:method} %{URIPATHPARAM:uri} \=\> generated %{NUMBER:resSize} bytes in %{NUMBER:resTime} msecs \(HTTP/%{NUMBER:httpVer} %{NUMBER:status}\) %{NUMBER:headers} headers in %{NUMBER:headersSize} bytes %{GREEDYDATA:coreInfo}" }
	}

	mutate {
	convert => ["status", "integer"]
	convert => ["resSize", "integer"]
	convert => ["resTime", "float"]
	}

	geoip {
	source => "remoteAddr"
	target => "geoip"
	add_tag => [ "uwsgi-geoip" ]
	}

	date {
	match => [ "timestamp", "EEE MMM d HH:mm:ss y", "EEE MMM d HH:mm:ss y" ]
	remove_field => [ "timestamp" ]
	}

	if "_grokparsefailure" in [tags] {
	drop {}
	}

	}

	output {
	elasticsearch {
	hosts => [ "localhost:9200" ]
	index => "uwsgi-%{+YYYY.MM.dd}"
	}
	}