Problems with custom log file format

[lists at lazygranch.com]

Nginx 1.10.1,2 

FreeBSD 10.2-RELEASE-p18 #0: Sat May 28 08:53:43 UTC 2016


I'm using the "map" module to detect obvious hacking by detecting
keywords. (Yes, I know about Naxsi.) Finding the really dumb hacks is
easy. I give them a 444 return code with the idea being I can run a
script on the log file and block these IPs. (Yes, I know about swatch.)

My problem is the access.log doesn't get formatted all the time. I have
many examples, but this is representative. First group has 444 at the
start of the line (custom format). The next group uses the default
format.
----------------------------------
444 111.91.62.144 - - [21/Aug/2016:09:31:50 +0000] "GET /wp-login.php HTTP/1.1" 0 "-" "Mozilla/5.0 (Windows NT 6.1; WO
W64; rv:40.0) Gecko/20100101 Firefox/40.1" "-"
444 175.123.98.240 - - [21/Aug/2016:04:39:44 +0000] "GET /manager/html HTTP/1.1" 0 "-" "Mozilla/5.0 (Windows NT 5.1; r
v:5.0) Gecko/20100101 Firefox/5.0" "-"
444 103.253.14.43 - - [21/Aug/2016:05:43:15 +0000] "GET /admin/config.php HTTP/1.1" 0 "-" "python-requests/2.10.0" "-"
444 185.130.6.49 - - [21/Aug/2016:14:23:09 +0000] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 0 "-" "-" "-"


176.26.5.107 - - [21/Aug/2016:09:43:20 +0000] "GET /wp-login.php HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW
64; rv:40.0) Gecko/20100101 Firefox/40.1"
195.90.204.103 - - [21/Aug/2016:17:09:11 +0000] "GET /wordpress/wp-admin/ HTTP/1.1" 444 0 "-" "-"
--------------------------

I'm putting the return code first to simplify my scripting that I will
use to feed blocking in ipfw. 

My nginx.conf follows (abbreviated). The email may mangle the
formatting a bit.
-------------
http {

    log_format  main  '$status $remote_addr - $remote_user [$time_local] "$request" '
                      '$body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main 
---------------------------