Maybe noob question. But after i successful connect graylog node with tag: nginx, which should parse /var/log/nginx/access.log i don’t see that log are parsed. Yes new log come in graylog but there are only one field “message” and few other, i want split message field into “server name”, “ip”, “user agent”, etc. It should be simple, but no idea where it set up?
Where extractors should be applied? Before or extraction work was hadled by nodes, for now extraction do Graylog server itself. Is this can be cause of high CPU?
For Logfiles you could use the COMMONAPACHELOG grok pattern that will parse out all fields that are specific for httpd logfiles. But only as long as they follow the common apache log pattern.