1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
# For all nginx variables, check this:
# https://nginx.org/en/docs/http/ngx_http_core_module.html#var_connection_requests
pattern: json
prefix: NGINX_
# When log2journal can detect the filename of each log entry (tail gives it
# only when it tails multiple files), this key will be used to send the
# filename to the journals.
filename:
key: NGINX_LOG_FILENAME
filter:
exclude: '^(NGINX_BINARY_REMOTE_ADDR)$'
rename:
- new_key: MESSAGE
old_key: NGINX_REQUEST
# args is an alias for query_string
- new_key: NGINX_QUERY_STRING
old_key: NGINX_ARGS
# document_uri is an alias for uri
- new_key: NGINX_URI
old_key: NGINX_DOCUMENT_URI
# is_args states if the request had a query string or not
- new_key: NGINX_HAS_QUERY_STRING
old_key: NGINX_IS_ARGS
# msec is the timestamp in seconds, with fractional digits for milliseconds
- new_key: NGINX_TIMESTAMP_SEC
old_key: NGINX_MSEC
# nginx_version is already prefixed with nginx, let's remove one of them
- new_key: NGINX_VERSION
old_key: NGINX_NGINX_VERSION
# pipe states if the request was pipelined or not
- new_key: NGINX_PIPELINED
old_key: NGINX_PIPE
# rename numeric TLVs to their names
- new_key: NGINX_PROXY_PROTOCOL_TLV_ALPN
old_key: NGINX_PROXY_PROTOCOL_TLV_0X01
- new_key: NGINX_PROXY_PROTOCOL_TLV_AUTHORITY
old_key: NGINX_PROXY_PROTOCOL_TLV_0X02
- new_key: NGINX_PROXY_PROTOCOL_TLV_UNIQUE_ID
old_key: NGINX_PROXY_PROTOCOL_TLV_0X05
- new_key: NGINX_PROXY_PROTOCOL_TLV_SSL
old_key: NGINX_PROXY_PROTOCOL_TLV_0X20
- new_key: NGINX_PROXY_PROTOCOL_TLV_NETNS
old_key: NGINX_PROXY_PROTOCOL_TLV_0X30
# rename numeric SSL TLVs to their names
- new_key: NGINX_PROXY_PROTOCOL_TLV_SSL_VERSION
old_key: NGINX_PROXY_PROTOCOL_TLV_SSL_0X21
- new_key: NGINX_PROXY_PROTOCOL_TLV_SSL_CN
old_key: NGINX_PROXY_PROTOCOL_TLV_SSL_0X22
- new_key: NGINX_PROXY_PROTOCOL_TLV_SSL_CIPHER
old_key: NGINX_PROXY_PROTOCOL_TLV_SSL_0X23
- new_key: NGINX_PROXY_PROTOCOL_TLV_SSL_SIG_ALG
old_key: NGINX_PROXY_PROTOCOL_TLV_SSL_0X24
- new_key: NGINX_PROXY_PROTOCOL_TLV_SSL_KEY_ALG
old_key: NGINX_PROXY_PROTOCOL_TLV_SSL_0X25
# Inject constant fields into the journal logs.
inject:
- key: SYSLOG_IDENTIFIER
value: nginx-log
# inject PRIORITY is a duplicate of NGINX_STATUS
- key: PRIORITY
value: '${NGINX_STATUS}'
# Inject NGINX_STATUS_FAMILY is a duplicate of NGINX_STATUS
- key: NGINX_STATUS_FAMILY
value: '${NGINX_STATUS}'
# Rewrite the value of fields (including the duplicated ones).
# The search pattern can have named groups, and the replace pattern can use
# them as ${name}.
rewrite:
# a ? means it has query string, everything else means it does not
- key: NGINX_HAS_QUERY_STRING
match: '^\?$'
value: yes
- key: NGINX_HAS_QUERY_STRING
match: '.*'
value: no
# 'on' means it was HTTPS, everything else means it was not
- key: NGINX_HTTPS
match: '^on$'
value: yes
- key: NGINX_HTTPS
match: '.*'
value: no
# 'p' means it was pipelined, everything else means it was not
- key: NGINX_PIPELINED
match: '^p$'
value: yes
- key: NGINX_PIPELINED
match: '.*'
value: no
# zero means client sent a certificate and it was verified, non-zero means otherwise
- key: NGINX_PROXY_PROTOCOL_TLV_SSL_VERIFY
match: '^0$'
value: yes
- key: NGINX_PROXY_PROTOCOL_TLV_SSL_VERIFY
match: '.*'
value: no
# 'OK' means request completed, everything else means it didn't
- key: NGINX_REQUEST_COMPLETION
match: '^OK$'
value: 'completed'
- key: NGINX_REQUEST_COMPLETION
match: '.*'
value: 'not completed'
# PRIORTY is a duplicate of NGINX_STATUS
# Valid PRIORITIES: 0=emerg, 1=alert, 2=crit, 3=error, 4=warn, 5=notice, 6=info, 7=debug
- key: PRIORITY
match: '^[123]'
value: 6
- key: PRIORITY
match: '^4'
value: 5
- key: PRIORITY
match: '^5'
value: 3
- key: PRIORITY
match: '.*'
value: 4
# NGINX_STATUS_FAMILY is a duplicate of NGINX_STATUS
- key: NGINX_STATUS_FAMILY
match: '^(?<first_digit>[1-5])'
value: '${first_digit}xx'
- key: NGINX_STATUS_FAMILY
match: '.*'
value: 'UNKNOWN'
# Control what to do when input logs do not match the main PCRE2 pattern.
unmatched:
# The journal key to log the PCRE2 error message to.
# Set this to MESSAGE, so you to see the error in the log.
key: MESSAGE
# Inject static fields to the unmatched entries.
# Set PRIORITY=1 (alert) to help you spot unmatched entries in the logs.
inject:
- key: PRIORITY
value: 1
|
