njpatel/nginx.toml

## nginx.toml
# you may want to skip access, you will gets tons of logs
[sources.nginx_access_logs]
  type         = "file"
  include      = ["/var/log/sites/*/*/*/*/nginx/access.log"]    # supports globbing
  ignore_older = 86400                         # 1 day

# product json logs
[transforms.nginx_access_logs_json]
  type         = "json_parser"
  inputs       = ["nginx_access_logs"]

# Add type of log
[transforms.nginx_access_logs_fields]
  type         = "add_fields"
  inputs       = ["nginx_access_logs_json"]
  overwrite    = false
  fields.type  = "nginx_access"

[sources.nginx_error_logs]
  type         = "file"
  include      = ["/var/log/sites/*/*/*/*/nginx/error.log"]    # supports globbing
  ignore_older = 86400

# nginx does not supports json logs for error, so force
[transforms.nginx_error_logs_parsed]
  type         = "grok_parser"
  inputs       = ["nginx_error_logs"]
  pattern      = '(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:level}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{GREEDYDATA:message}, client: %{IP:client}, server: %{GREEDYDATA:server}, request: "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion}))"(, upstream: "%{GREEDYDATA:upstream}")?, host: "%{DATA:host}"(, referrer: "%{GREEDYDATA:referrer}")?'
  types.timestamp = "timestamp|%s" # timestamp conversion

# add type again
[transforms.nginx_error_logs_fields]
  type         = "add_fields"
  inputs       = ["nginx_error_logs_parsed"]
  overwrite    = false
  fields.type  = "nginx_error"

[sinks.axiom]
  type = "axiom"
  inputs = ["nginx_logs"]
  token = "xaat-1234"
  dataset = "vector-dev"
  request.timeout_secs = 1000
	# you may want to skip access, you will gets tons of logs
	[sources.nginx_access_logs]
	type = "file"
	include = ["/var/log/sites/////nginx/access.log"] # supports globbing
	ignore_older = 86400 # 1 day

	# product json logs
	[transforms.nginx_access_logs_json]
	type = "json_parser"
	inputs = ["nginx_access_logs"]

	# Add type of log
	[transforms.nginx_access_logs_fields]
	type = "add_fields"
	inputs = ["nginx_access_logs_json"]
	overwrite = false
	fields.type = "nginx_access"

	[sources.nginx_error_logs]
	type = "file"
	include = ["/var/log/sites/////nginx/error.log"] # supports globbing
	ignore_older = 86400

	# nginx does not supports json logs for error, so force
	[transforms.nginx_error_logs_parsed]
	type = "grok_parser"
	inputs = ["nginx_error_logs"]
	pattern = '(?<timestamp>%{YEAR}[./]%{MONTHNUM}[./]%{MONTHDAY} %{TIME}) \[%{LOGLEVEL:level}\] %{POSINT:pid}#%{NUMBER:threadid}\: \*%{NUMBER:connectionid} %{GREEDYDATA:message}, client: %{IP:client}, server: %{GREEDYDATA:server}, request: "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion}))"(, upstream: "%{GREEDYDATA:upstream}")?, host: "%{DATA:host}"(, referrer: "%{GREEDYDATA:referrer}")?'
	types.timestamp = "timestamp\|%s" # timestamp conversion

	# add type again
	[transforms.nginx_error_logs_fields]
	type = "add_fields"
	inputs = ["nginx_error_logs_parsed"]
	overwrite = false
	fields.type = "nginx_error"

	[sinks.axiom]
	type = "axiom"
	inputs = ["nginx_logs"]
	token = "xaat-1234"
	dataset = "vector-dev"
	request.timeout_secs = 1000