Hi Team,
Any idea on NginxError log for Graylog 4 with UDP input.If anyone has content pack for this please let me know.
Regards
Ajay Negi
1 Like
Hello @ajay.negi
Is this a specific Nginx content pack or do you need any Nginx content pack. There are a couple I see here so I assume this may not be what you wanted?
Hi @gsmith ,
Thanks for the updateā¦Actually we only need Nginx Error log content packā¦as there is some date parsing error coming when we received the Nginx Error log to Graylog 4.2.7.
Nginx Access log we already install content pack and working fineā¦Only concern on error log.
Also like Error log message which we received has 8 hours differenceā¦
gl2_processing_error
Error evaluating action for rule <test to change/62bac83953dc79608e0b6dca> (pipeline <testpipeline/62bc119b53dc79608e0cdef0>) - In call to function āparse_dateā at 6:21 an exception was thrown: Invalid format: ā2022-06-30T09:53:21.000+08:00ā is malformed at ā.000+08:00ā
Pipeline rule is:-
rule ātest to changeā
when
has_field(ātimestampā)
then
// the following date format assumes thereās no time zone in the string
let newtimestamp = parse_date(to_string($message.timestamp), āyyyy-MM-ddāTāHH:mm:ss,SSSā);
set_field(ātimestampā, newtimestamp);
remove_field(ātimestampā);
end
any idea how we can parse the time of Error logā¦
I see one of your problems, there is a issue with using the field name.
Meaning you need something like this. Other wise your removing the same field you adjusted.
Pipeline rule is:-
rule ātest to changeā
when
has_field(ātimestampā)
then
// the following date format assumes thereās no time zone in the string
let newtimestamp = parse_date(to_string($message.timestamp), āyyyy-MM-ddāTāHH:mm:ss,SSSā);
set_field(ānew_timestampā, newtimestamp);
remove_field(ātimestampā);
end
There are tons of pipelines/ Extractors Date/Time conversions in this forum, perhaps this post may help to give you an idea.
1 Like
For a time difference I would check the Date/time on the device that nginx is on, you may need to use NTP or something similar and check your Graylog server under System/Overview Time configuration
My Nginx Logs are something like this :- <187>Jul 1 06:03:45 nginx: 2022/07/01 06:03:45 [error] 1966872#0: *17257159ā¦so on that can we take nginx as a filed.
Timestamp
2022-06-30 22:03:45.000
timestamp
2022-06-30 22:03:45.000 +00:00
Time configuration
Dealing with timezones can be confusing. Here you can see the timezone applied to different components of your system. You can check timezone settings of specific graylog-server nodes on their respective detail page.
User admin:
2022-07-01 04:10:40 +00:00
Your web browser:
2022-07-01 09:40:40 +05:30
Graylog server: 2022-07-01 12:11:11 +08:00
message
nginx: 2022/07/01 06:03:45 [error] 1966872#0: *17257159 could not be resolved (3: Host not found), client: 172.28.213.20, server: Servername, request: āGET /version/ HTTP/1.1ā, host: āhostnameā
I see 
2022-07-01 04:10:40 +00:00
2022-07-01 09:40:40 +05:30
2022-07-01 12:11:11 +08:00
Man, I m not sure what going on. I see 4 different timestamps and the Nginx logs or 8 hours off 
Iām not sure if this is the category for these post, perhaps Graylog Central
any help on thisā¦as i created a pipeline rule i.e rule āreplace timestampā
when
true
then
let result = regex(ā([0-9-T.:]+)ā, to_string($message.timestamp));
let new_date = parse_date(to_string(result[ā0ā]), āyyyy-MM-ddāTāHH:mm:ss.SSSā);
set_field(ātimestampā, new_date);
end
and its working fine no error but messages not shown on the streamā¦confused on that part nowā¦
How do you know its working fine? Use Debug() in your pipeline and tail -f Graylogs log file. This will give you and idea whatās going on.
EDIT:
Example of what I was referring to.
then
let new_date = parse_date(to_string(result[ā0ā]), āyyyy-MM-ddāTāHH:mm:ss.SSSā);
set_field(ātimestampā, new_date);
debug (new_date ); <----------ADD THIS INTO YOUR PIPEINE
end
Then
root# tail -f /var/log/graylog-server/server.log
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.