diff options
Diffstat (limited to 'src/fluent-bit/conf/parsers.conf')
| -rw-r--r-- | src/fluent-bit/conf/parsers.conf | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/src/fluent-bit/conf/parsers.conf b/src/fluent-bit/conf/parsers.conf new file mode 100644 index 000000000..71706545d --- /dev/null +++ b/src/fluent-bit/conf/parsers.conf @@ -0,0 +1,126 @@ +[PARSER] + Name apache + Format regex + Regex ^(?<host>[^ ]*) [^ ]* (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*)" "(?<agent>[^\"]*)")?$ + Time_Key time + Time_Format %d/%b/%Y:%H:%M:%S %z + +[PARSER] + Name apache2 + Format regex + Regex ^(?<host>[^ ]*) [^ ]* (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^ ]*) +\S*)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*)" "(?<agent>.*)")?$ + Time_Key time + Time_Format %d/%b/%Y:%H:%M:%S %z + +[PARSER] + Name apache_error + Format regex + Regex ^\[[^ ]* (?<time>[^\]]*)\] \[(?<level>[^\]]*)\](?: \[pid (?<pid>[^\]]*)\])?( \[client (?<client>[^\]]*)\])? (?<message>.*)$ + +[PARSER] + Name nginx + Format regex + Regex ^(?<remote>[^ ]*) (?<host>[^ ]*) (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*)" "(?<agent>[^\"]*)") + Time_Key time + Time_Format %d/%b/%Y:%H:%M:%S %z + +[PARSER] + # https://rubular.com/r/IhIbCAIs7ImOkc + Name k8s-nginx-ingress + Format regex + Regex ^(?<host>[^ ]*) - (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)?" (?<code>[^ ]*) (?<size>[^ ]*) "(?<referer>[^\"]*)" "(?<agent>[^\"]*)" (?<request_length>[^ ]*) (?<request_time>[^ ]*) \[(?<proxy_upstream_name>[^ ]*)\] (\[(?<proxy_alternative_upstream_name>[^ ]*)\] )?(?<upstream_addr>[^ ]*) (?<upstream_response_length>[^ ]*) (?<upstream_response_time>[^ ]*) (?<upstream_status>[^ ]*) (?<reg_id>[^ ]*).*$ + Time_Key time + Time_Format %d/%b/%Y:%H:%M:%S %z + +[PARSER] + Name json + Format json + Time_Key time + Time_Format %d/%b/%Y:%H:%M:%S %z + +[PARSER] + Name docker + Format json + Time_Key time + Time_Format %Y-%m-%dT%H:%M:%S.%L + Time_Keep On + # -- + # Since Fluent Bit v1.2, if you are parsing Docker logs and using + # the Kubernetes filter, it's not longer required to decode the + # 'log' key. + # + # Command | Decoder | Field | Optional Action + # =============|==================|================= + #Decode_Field_As json log + +[PARSER] + Name docker-daemon + Format regex + Regex time="(?<time>[^ ]*)" level=(?<level>[^ ]*) msg="(?<msg>[^ ].*)" + Time_Key time + Time_Format %Y-%m-%dT%H:%M:%S.%L + Time_Keep On + +[PARSER] + Name syslog-rfc5424 + Format regex + Regex ^\<(?<pri>[0-9]{1,5})\>1 (?<time>[^ ]+) (?<host>[^ ]+) (?<ident>[^ ]+) (?<pid>[-0-9]+) (?<msgid>[^ ]+) (?<extradata>(\[(.*?)\]|-)) (?<message>.+)$ + Time_Key time + Time_Format %Y-%m-%dT%H:%M:%S.%L%z + Time_Keep On + +[PARSER] + Name syslog-rfc3164-local + Format regex + Regex ^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$ + Time_Key time + Time_Format %b %d %H:%M:%S + Time_Keep On + +[PARSER] + Name syslog-rfc3164 + Format regex + Regex /^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/ + Time_Key time + Time_Format %b %d %H:%M:%S + Time_Keep On + +[PARSER] + Name mongodb + Format regex + Regex ^(?<time>[^ ]*)\s+(?<severity>\w)\s+(?<component>[^ ]+)\s+\[(?<context>[^\]]+)]\s+(?<message>.*?) *(?<ms>(\d+))?(:?ms)?$ + Time_Format %Y-%m-%dT%H:%M:%S.%L + Time_Keep On + Time_Key time + +[PARSER] + # https://rubular.com/r/0VZmcYcLWMGAp1 + Name envoy + Format regex + Regex ^\[(?<start_time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)? (?<protocol>\S+)" (?<code>[^ ]*) (?<response_flags>[^ ]*) (?<bytes_received>[^ ]*) (?<bytes_sent>[^ ]*) (?<duration>[^ ]*) (?<x_envoy_upstream_service_time>[^ ]*) "(?<x_forwarded_for>[^ ]*)" "(?<user_agent>[^\"]*)" "(?<request_id>[^\"]*)" "(?<authority>[^ ]*)" "(?<upstream_host>[^ ]*)" + Time_Format %Y-%m-%dT%H:%M:%S.%L%z + Time_Keep On + Time_Key start_time + +[PARSER] + # https://rubular.com/r/17KGEdDClwiuDG + Name istio-envoy-proxy + Format regex + Regex ^\[(?<start_time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)? (?<protocol>\S+)" (?<response_code>[^ ]*) (?<response_flags>[^ ]*) (?<response_code_details>[^ ]*) (?<connection_termination_details>[^ ]*) (?<upstream_transport_failure_reason>[^ ]*) (?<bytes_received>[^ ]*) (?<bytes_sent>[^ ]*) (?<duration>[^ ]*) (?<x_envoy_upstream_service_time>[^ ]*) "(?<x_forwarded_for>[^ ]*)" "(?<user_agent>[^\"]*)" "(?<x_request_id>[^\"]*)" (?<authority>[^ ]*)" "(?<upstream_host>[^ ]*)" (?<upstream_cluster>[^ ]*) (?<upstream_local_address>[^ ]*) (?<downstream_local_address>[^ ]*) (?<downstream_remote_address>[^ ]*) (?<requested_server_name>[^ ]*) (?<route_name>[^ ]*) + Time_Format %Y-%m-%dT%H:%M:%S.%L%z + Time_Keep On + Time_Key start_time + +[PARSER] + # http://rubular.com/r/tjUt3Awgg4 + Name cri + Format regex + Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$ + Time_Key time + Time_Format %Y-%m-%dT%H:%M:%S.%L%z + Time_Keep On + +[PARSER] + Name kube-custom + Format regex + Regex (?<tag>[^.]+)?\.?(?<pod_name>[a-z0-9](?:[-a-z0-9]*[a-z0-9])?(?:\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)_(?<namespace_name>[^_]+)_(?<container_name>.+)-(?<docker_id>[a-z0-9]{64})\.log$ |