diff options
Diffstat (limited to 'collectors/log2journal/log2journal.d')
| -rw-r--r-- | collectors/log2journal/log2journal.d/default.yaml | 15 | ||||
| -rw-r--r-- | collectors/log2journal/log2journal.d/nginx-combined.yaml | 91 | ||||
| -rw-r--r-- | collectors/log2journal/log2journal.d/nginx-json.yaml | 164 |
3 files changed, 270 insertions, 0 deletions
diff --git a/collectors/log2journal/log2journal.d/default.yaml b/collectors/log2journal/log2journal.d/default.yaml new file mode 100644 index 000000000..d41efc4ab --- /dev/null +++ b/collectors/log2journal/log2journal.d/default.yaml @@ -0,0 +1,15 @@ +pattern: none + +filename: + key: LOG_FILENAME + +inject: + - key: MESSAGE + value: '${LINE}' # a special variable that resolves to the whole line read from the log + + - key: PRIORITY + value: 6 # Valid PRIORITIES: 0=emerg, 1=alert, 2=crit, 3=error, 4=warn, 5=notice, 6=info, 7=debug + + - key: SYSLOG_IDENTIFIER + value: log2journal # the name of the application sending the logs + diff --git a/collectors/log2journal/log2journal.d/nginx-combined.yaml b/collectors/log2journal/log2journal.d/nginx-combined.yaml new file mode 100644 index 000000000..003c774d7 --- /dev/null +++ b/collectors/log2journal/log2journal.d/nginx-combined.yaml @@ -0,0 +1,91 @@ +# Netdata log2journal Configuration +# The following parses nginx log files using the combined format. + +# The PCRE2 pattern to match log entries and give names to the fields. +# The journal will have these names, so follow their rules. You can +# initiate an extended PCRE2 pattern by starting the pattern with (?x) +pattern: | + (?x) # Enable PCRE2 extended mode + ^ + (?<NGINX_REMOTE_ADDR>[^ ]+) \s - \s # NGINX_REMOTE_ADDR + (?<NGINX_REMOTE_USER>[^ ]+) \s # NGINX_REMOTE_USER + \[ + (?<NGINX_TIME_LOCAL>[^\]]+) # NGINX_TIME_LOCAL + \] + \s+ " + (?<NGINX_REQUEST> + (?<NGINX_REQUEST_METHOD>[A-Z]+) \s+ # NGINX_METHOD + (?<NGINX_REQUEST_URI>[^ ]+) \s+ + (?<NGINX_SERVER_PROTOCOL>[^"]+) + ) + " \s+ + (?<NGINX_STATUS>\d+) \s+ # NGINX_STATUS + (?<NGINX_BODY_BYTES_SENT>\d+) \s+ # NGINX_BODY_BYTES_SENT + "(?<NGINX_HTTP_REFERER>[^"]*)" \s+ # NGINX_HTTP_REFERER + "(?<NGINX_HTTP_USER_AGENT>[^"]*)" # NGINX_HTTP_USER_AGENT + +# When log2journal can detect the filename of each log entry (tail gives it +# only when it tails multiple files), this key will be used to send the +# filename to the journals. +filename: + key: NGINX_LOG_FILENAME + +rename: + - new_key: MESSAGE + old_key: NGINX_REQUEST + +# Inject constant fields into the journal logs. +inject: + - key: SYSLOG_IDENTIFIER + value: nginx-log + + # inject PRIORITY is a duplicate of NGINX_STATUS + - key: PRIORITY + value: '${NGINX_STATUS}' + + # Inject NGINX_STATUS_FAMILY is a duplicate of NGINX_STATUS + - key: NGINX_STATUS_FAMILY + value: '${NGINX_STATUS}' + +# Rewrite the value of fields (including the duplicated ones). +# The search pattern can have named groups, and the replace pattern can use +# them as ${name}. +rewrite: + # PRIORITY is a duplicate of NGINX_STATUS + # Valid PRIORITIES: 0=emerg, 1=alert, 2=crit, 3=error, 4=warn, 5=notice, 6=info, 7=debug + - key: PRIORITY + match: '^[123]' + value: 6 + + - key: PRIORITY + match: '^4' + value: 5 + + - key: PRIORITY + match: '^5' + value: 3 + + - key: PRIORITY + match: '.*' + value: 4 + + # NGINX_STATUS_FAMILY is a duplicate of NGINX_STATUS + - key: NGINX_STATUS_FAMILY + match: '^(?<first_digit>[1-5])' + value: '${first_digit}xx' + + - key: NGINX_STATUS_FAMILY + match: '.*' + value: 'UNKNOWN' + +# Control what to do when input logs do not match the main PCRE2 pattern. +unmatched: + # The journal key to log the PCRE2 error message to. + # Set this to MESSAGE, so you to see the error in the log. + key: MESSAGE + + # Inject static fields to the unmatched entries. + # Set PRIORITY=1 (alert) to help you spot unmatched entries in the logs. + inject: + - key: PRIORITY + value: 1 diff --git a/collectors/log2journal/log2journal.d/nginx-json.yaml b/collectors/log2journal/log2journal.d/nginx-json.yaml new file mode 100644 index 000000000..7fdc4be58 --- /dev/null +++ b/collectors/log2journal/log2journal.d/nginx-json.yaml @@ -0,0 +1,164 @@ +# For all nginx variables, check this: +# https://nginx.org/en/docs/http/ngx_http_core_module.html#var_connection_requests + +pattern: json + +prefix: NGINX_ + +# When log2journal can detect the filename of each log entry (tail gives it +# only when it tails multiple files), this key will be used to send the +# filename to the journals. +filename: + key: NGINX_LOG_FILENAME + +filter: + exclude: '^(NGINX_BINARY_REMOTE_ADDR)$' + +rename: + - new_key: MESSAGE + old_key: NGINX_REQUEST + + # args is an alias for query_string + - new_key: NGINX_QUERY_STRING + old_key: NGINX_ARGS + + # document_uri is an alias for uri + - new_key: NGINX_URI + old_key: NGINX_DOCUMENT_URI + + # is_args states if the request had a query string or not + - new_key: NGINX_HAS_QUERY_STRING + old_key: NGINX_IS_ARGS + + # msec is the timestamp in seconds, with fractional digits for milliseconds + - new_key: NGINX_TIMESTAMP_SEC + old_key: NGINX_MSEC + + # nginx_version is already prefixed with nginx, let's remove one of them + - new_key: NGINX_VERSION + old_key: NGINX_NGINX_VERSION + + # pipe states if the request was pipelined or not + - new_key: NGINX_PIPELINED + old_key: NGINX_PIPE + + # rename numeric TLVs to their names + - new_key: NGINX_PROXY_PROTOCOL_TLV_ALPN + old_key: NGINX_PROXY_PROTOCOL_TLV_0X01 + - new_key: NGINX_PROXY_PROTOCOL_TLV_AUTHORITY + old_key: NGINX_PROXY_PROTOCOL_TLV_0X02 + - new_key: NGINX_PROXY_PROTOCOL_TLV_UNIQUE_ID + old_key: NGINX_PROXY_PROTOCOL_TLV_0X05 + - new_key: NGINX_PROXY_PROTOCOL_TLV_SSL + old_key: NGINX_PROXY_PROTOCOL_TLV_0X20 + - new_key: NGINX_PROXY_PROTOCOL_TLV_NETNS + old_key: NGINX_PROXY_PROTOCOL_TLV_0X30 + + # rename numeric SSL TLVs to their names + - new_key: NGINX_PROXY_PROTOCOL_TLV_SSL_VERSION + old_key: NGINX_PROXY_PROTOCOL_TLV_SSL_0X21 + - new_key: NGINX_PROXY_PROTOCOL_TLV_SSL_CN + old_key: NGINX_PROXY_PROTOCOL_TLV_SSL_0X22 + - new_key: NGINX_PROXY_PROTOCOL_TLV_SSL_CIPHER + old_key: NGINX_PROXY_PROTOCOL_TLV_SSL_0X23 + - new_key: NGINX_PROXY_PROTOCOL_TLV_SSL_SIG_ALG + old_key: NGINX_PROXY_PROTOCOL_TLV_SSL_0X24 + - new_key: NGINX_PROXY_PROTOCOL_TLV_SSL_KEY_ALG + old_key: NGINX_PROXY_PROTOCOL_TLV_SSL_0X25 + +# Inject constant fields into the journal logs. +inject: + - key: SYSLOG_IDENTIFIER + value: nginx-log + + # inject PRIORITY is a duplicate of NGINX_STATUS + - key: PRIORITY + value: '${NGINX_STATUS}' + + # Inject NGINX_STATUS_FAMILY is a duplicate of NGINX_STATUS + - key: NGINX_STATUS_FAMILY + value: '${NGINX_STATUS}' + + +# Rewrite the value of fields (including the duplicated ones). +# The search pattern can have named groups, and the replace pattern can use +# them as ${name}. +rewrite: + # a ? means it has query string, everything else means it does not + - key: NGINX_HAS_QUERY_STRING + match: '^\?$' + value: yes + - key: NGINX_HAS_QUERY_STRING + match: '.*' + value: no + + # 'on' means it was HTTPS, everything else means it was not + - key: NGINX_HTTPS + match: '^on$' + value: yes + - key: NGINX_HTTPS + match: '.*' + value: no + + # 'p' means it was pipelined, everything else means it was not + - key: NGINX_PIPELINED + match: '^p$' + value: yes + - key: NGINX_PIPELINED + match: '.*' + value: no + + # zero means client sent a certificate and it was verified, non-zero means otherwise + - key: NGINX_PROXY_PROTOCOL_TLV_SSL_VERIFY + match: '^0$' + value: yes + - key: NGINX_PROXY_PROTOCOL_TLV_SSL_VERIFY + match: '.*' + value: no + + # 'OK' means request completed, everything else means it didn't + - key: NGINX_REQUEST_COMPLETION + match: '^OK$' + value: 'completed' + - key: NGINX_REQUEST_COMPLETION + match: '.*' + value: 'not completed' + + # PRIORTY is a duplicate of NGINX_STATUS + # Valid PRIORITIES: 0=emerg, 1=alert, 2=crit, 3=error, 4=warn, 5=notice, 6=info, 7=debug + - key: PRIORITY + match: '^[123]' + value: 6 + + - key: PRIORITY + match: '^4' + value: 5 + + - key: PRIORITY + match: '^5' + value: 3 + + - key: PRIORITY + match: '.*' + value: 4 + + # NGINX_STATUS_FAMILY is a duplicate of NGINX_STATUS + - key: NGINX_STATUS_FAMILY + match: '^(?<first_digit>[1-5])' + value: '${first_digit}xx' + + - key: NGINX_STATUS_FAMILY + match: '.*' + value: 'UNKNOWN' + +# Control what to do when input logs do not match the main PCRE2 pattern. +unmatched: + # The journal key to log the PCRE2 error message to. + # Set this to MESSAGE, so you to see the error in the log. + key: MESSAGE + + # Inject static fields to the unmatched entries. + # Set PRIORITY=1 (alert) to help you spot unmatched entries in the logs. + inject: + - key: PRIORITY + value: 1 |