Skip to content

Instantly share code, notes, and snippets.

@wagnst

wagnst/Nginx access_log exctractors for graylog

Created June 13, 2016 09:44
Show Gist options
  • Save wagnst/dd7a5f46608d8c1480a4cb509017b4c2 to your computer and use it in GitHub Desktop.
Save wagnst/dd7a5f46608d8c1480a4cb509017b4c2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Nginx access_log exctractors for graylog
{
"extractors": [
{
"title": "Remote Address",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "remote_addr",
"extractor_config": {
"regex_value": "nginx:\\s+(\\S+)"
},
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:"
},
{
"title": "Remote User",
"extractor_type": "regex",
"converters": [],
"order": 1,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "remote_user",
"extractor_config": {
"regex_value": "nginx: \\S+ - (\\S+)"
},
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:"
},
{
"title": "Request Timestamp",
"extractor_type": "regex",
"converters": [
{
"type": "date",
"config": {
"date_format": "dd/MMM/YYYY:HH:mm:ss Z"
}
}
],
"order": 2,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "timestamp",
"extractor_config": {
"regex_value": "nginx:.+?\\[(.+?)\\]"
},
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:"
},
{
"title": "Request Verb",
"extractor_type": "regex",
"converters": [],
"order": 3,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "request_verb",
"extractor_config": {
"regex_value": "nginx:.+\\[.+\\] \"(\\S+)"
},
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:"
},
{
"title": "Request Path",
"extractor_type": "regex",
"converters": [
{
"type": "numeric",
"config": {}
}
],
"order": 4,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "request_path",
"extractor_config": {
"regex_value": "nginx:.+?\"\\S+ (\\S+).+\""
},
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:"
},
{
"title": "HTTP Version",
"extractor_type": "regex",
"converters": [],
"order": 5,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "http_version",
"extractor_config": {
"regex_value": "nginx:.+HTTP/(\\S+)\""
},
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:"
},
{
"title": "Response Status",
"extractor_type": "regex",
"converters": [
{
"type": "numeric",
"config": {}
}
],
"order": 6,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "response_status",
"extractor_config": {
"regex_value": "nginx:.+?HTTP/\\S+\" (\\d+)"
},
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:"
},
{
"title": "Response Bytes",
"extractor_type": "regex",
"converters": [
{
"type": "numeric",
"config": {}
}
],
"order": 7,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "response_bytes",
"extractor_config": {
"regex_value": "nginx:.+?HTTP/\\S+\" \\d+ (\\d+)"
},
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:"
},
{
"title": "HTTP Referer",
"extractor_type": "regex",
"converters": [],
"order": 9,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "http_referer",
"extractor_config": {
"regex_value": "nginx:.+?HTTP/\\S+\" \\d+ \\d+ \"(.+?)\""
},
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:"
},
{
"title": "HTTP User Agent",
"extractor_type": "regex",
"converters": [],
"order": 8,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "http_user_agent",
"extractor_config": {
"regex_value": "nginx:.+?HTTP/\\S+\" \\d+ \\d+ \".+?\" \"(.+?)\""
},
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:"
},
{
"title": "Connection ID",
"extractor_type": "regex",
"converters": [
{
"type": "numeric",
"config": {}
}
],
"order": 10,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "connection_id",
"extractor_config": {
"regex_value": "connection=(.+?)\\|"
},
"condition_type": "regex",
"condition_value": ".+connection=.+"
},
{
"title": "Connection requests",
"extractor_type": "regex",
"converters": [
{
"type": "numeric",
"config": {}
}
],
"order": 11,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "connection_requests",
"extractor_config": {
"regex_value": "connection_requests=(.+?)\\|"
},
"condition_type": "regex",
"condition_value": ".+connection_requests=.+"
},
{
"title": "Message",
"extractor_type": "regex",
"converters": [],
"order": 13,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "message",
"extractor_config": {
"regex_value": "nginx:.+?\\\"(\\S+.+HTTP\\/\\S+)\\\" \\d+"
},
"condition_type": "regex",
"condition_value": "^\\S+\\s+nginx:"
},
{
"title": "Host",
"extractor_type": "regex",
"converters": [
{
"type": "numeric",
"config": {}
}
],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "host",
"extractor_config": {
"regex_value": "host=(.+?)>"
},
"condition_type": "regex",
"condition_value": ".+host=.+"
},
{
"title": "Response time",
"extractor_type": "regex",
"converters": [
{
"type": "numeric",
"config": {}
}
],
"order": 12,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "millis",
"extractor_config": {
"regex_value": "millis=(.+?)\\|"
},
"condition_type": "regex",
"condition_value": ".+millis=.+"
}
],
"version": "2.0.0-SNAPSHOT"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment