Skip to content
Permalink
Fetching contributors…
Cannot retrieve contributors at this time
97 lines (86 sloc) 3.87 KB
@define elastic_host "1.2.3.4:9200"
template t_nginx {
template("$(format-json --pair host.name=$HOST --pair host.ip=$SOURCEIP --pair @timestamp=$ISODATE --pair message=$MESSAGE --pair tags=nginx --pair ecs.version=1.0.0 --pair process.name=${PROGRAM} --key http.* --key user.* --key user_agent.* --key event.* --key url.* --key source.* )\n");
};
destination d_nginx_file_json {
file(
"/var/log/nginx/${S_YEAR}.${S_MONTH}.${S_DAY}/${HOST}.json"
template("$(template t_nginx)")
create-dirs(yes)
);
};
destination d_elastic_nginx {
elasticsearch-http(
url("http://`elastic_host`/_bulk")
index("nginx-${S_YEAR}-${S_MONTH}-${S_DAY}")
headers("Content-Type: application/x-ndjson")
# time-zone("UTC")
type("")
workers(4)
batch-lines(16)
timeout(10)
template("$(template t_nginx)")
disk-buffer(
mem-buf-length(10000)
disk-buf-size(10000000)
reliable(no)
)
persist-name("nginx")
log-fifo-size(20000)
);
};
log {
# On openSUSE the default source is called 'src' while on most other distributions like Debian it is called 's_src'
source(src);
destination(d_nginx_file_json);
if ( "${PROGRAM}" eq "nginx" ) {
parser {
apache-accesslog-parser(
prefix("nginx.")
);
# https://github.com/elastic/beats/blob/master/filebeat/module/nginx/access/test/access.log-expected.json
map-value-pairs(
pair("event.dataset", "nginx.access")
pair("event.module", "nginx")
pair("http.request.method", "${nginx.verb}")
pair("http.request.referrer", "${nginx.referrer}")
pair("http.response.body.bytes", "${nginx.bytes}")
pair("http.response.status_code", "${nginx.response}")
pair("http.version", "${nginx.httpversion}")
# pair("nginx.access.remote_ip_list" "${nginx.clientip}")
pair("source.address", "${nginx.clientip}")
pair("source.ip", "${nginx.clientip}")
pair("url.original", "${nginx.request}")
pair("user.name", "${nginx.auth}")
pair("user_agent.original", "${nginx.agent}")
# pair("http.request.body.content", "${}")
# pair("http.request.bytes", "${}")
# pair("http.response.body.content", "${}")
# pair("http.response.bytes", "${}")
);
geoip2(
"${source.ip}",
prefix( "geo." )
database( "/etc/syslog-ng/GeoLite2-City.mmdb" )
);
};
# only add geo data when it makes sense
if ("${geo.location.latitude}" != "") {
# remap kv pairs of geoip to match Elastic ECS requirements
parser {
map-value-pairs(
pair("source.geo.city_name", "${geo.city.names.en}")
pair("source.geo.continent_name", "${geo.continent.names.en}")
pair("source.geo.country_iso_code", "${geo.country.iso_code}")
pair("source.geo.country_name", "${geo.country.names.en}")
#pair("source.geo.name", "")
pair("source.geo.region_iso_code", "${geo.subdivisions.0.iso_code}")
pair("source.geo.region_name", "${geo.subdivisions.0.names.en}")
pair("source.geo.location", "${geo.location.latitude},${geo.location.longitude}")
);
};
};
};
# destination(d_nginx_file_json);
destination(d_elastic_nginx);
};
You can’t perform that action at this time.