Graylog sidecar do not parse nginx access log

Hello community!

Maybe noob question. But after i successful connect graylog node with tag: nginx, which should parse /var/log/nginx/access.log i don’t see that log are parsed. Yes new log come in graylog but there are only one field “message” and few other, i want split message field into “server name”, “ip”, “user agent”, etc. It should be simple, but no idea where it set up?

Structuring of the data can be done using extractors or pipelines rules.

Where extractors should be applied? Before or extraction work was hadled by nodes, for now extraction do Graylog server itself. Is this can be cause of high CPU?

if you ingest messages, you need to parse/enrich the data in the seperated fields yourself.

as @sachin already pointed out, use extractors ( http://docs.graylog.org/en/2.4/pages/extractors.html ) or processing pipelines ( http://docs.graylog.org/en/2.4/pages/pipelines.html ) to parse the message.

For Logfiles you could use the COMMONAPACHELOG grok pattern that will parse out all fields that are specific for httpd logfiles. But only as long as they follow the common apache log pattern.

That is clear! Thank you!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.