Send nginx log in json format


(Yaroslav) #1

Hello, i have 2 question. 1st is: how i can send nginx log in graylog in json format? what setting in nginx.conf i need? my settings now is : log_format graylog_json escape=json '{' '"timestamp":"$time_local",' '"level":"1",' '"city":"testing",' '"http_user_agent":"$http_user_agent",' '}';
But is doesn’t work.
And 2nd question : how i can use json exctractor for add new fields? I want make this without pipeline.


(Tess) #2

What exactly doesn’t work? Right now you’re telling the mechanic “My car broke”, without stating:

  • What are the symptoms?
  • Which of the parts is showing errors, if any?
  • What are the errors?
  • What is the expected behaviour that you were checking for?
  • What is the behaviour that you actually got?

Etc.

I do believe the documentation site for Graylog may have some details for you on that… I suggest Googling a bit first; I’d have to do the same :slight_smile: To my knowledge: “extractors” is the keyword :slight_smile:


(Yaroslav) #3

Documentation site have have not enough information. I used google for find answer in my question and when i understanded what i can’t solve problem i going on forum.


(Tess) #4

Cool! In that case, which documentation have you found (please link the sources), what have you tried so far and yet again: what is happening, what is going wrong, what is not behaving as expected, etc.


(Yaroslav) #5

Okay,wait a sec. I makes screenshot.


(Yaroslav) #6

Okay lets start.
My nginx.conf have format:

How says google in this format nginx can send logs in json format.
This what graylog showed:

Then go for the create json extractors:

And set params for extracting:

Press on “Try” button and that’s what i got:

Finally what i want?: I want what extractor parsed log and made and add new key-value fields


(Tess) #7

I assume that you’ve seen this ServerFault thread?

Looks very much like your situation. I see one difference though: the log format they use is “graylog2_json”. Note the extra “2”.

The good thing is that your screenshots show that Graylog is in fact receiving the raw messages. That’s good!


(Yaroslav) #8

Okay, i will look this.


(Tess) #9

Also your key-value seperator is incorrect.

  • You defined it as =
  • The raw message shows it’s :

The ServerFault thread also mentions a content pack you can use to make life easier.


(Yaroslav) #10

I chang And is didn’t help


(Yaroslav) #11

and add “2” in nginx.conf


(Yaroslav) #12


In this issue he say what cant get nginx log. But i can.


(Tess) #13

Well, I didn’t mean they have the same problem. I meant that you could sneak a peek at their settings, see where things are different. I see they also offered a sample extractor and that they referred to a specific content pack which you may not have installed.


(Jan Doberstein) #14

@Uporaba

what was the reason you want to feed in json from NXLOG to Graylog and not using any known - well working extractor?


(Yaroslav) #15

remember please,a dont understand.


(Yaroslav) #16

I read it again and understood. sry


(Yaroslav) #17

I dont know. Do you have a solution my problem?


(Yaroslav) #18

I don’t want use content pack. I want use clean json nginx log without other
modification. Because json format allows you to automatically add new fields in the graylog without additional settings from the gray log and without administrator intervention.


(system) closed #19

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.