Nginx error log parser
mohit Agrawal
mohit3081989 at gmail.com
Wed Jan 10 13:58:46 UTC 2018
Hi All,
I have something like this. I tested the `tail -f /var/log/nginx/error.log
| awk -f /var/log/nginx/test.awk` part and it just works fine. But when i
try to run it through fluentd, it doesn't do anything. Any idea why ?
<source>
@type exec
format json
tag sample
command tail -f /var/log/nginx/error.log | awk -f
/var/log/nginx/test.awk
</source>
<match sample >
@type stdout
</match>
Also /var/log/nginx/test.awk, is as follow :
################# tst.awk #################
BEGIN {FS = "," }
{
split($1, m, "\ ")
gsub(/ /, "", $2)
split($2, a, ":")
gsub(/ /, "", $3)
split($3, b, ":")
gsub(/ /, "", $4)
split($4, c, ":")
gsub(/ /, "", $5)
split($5, d, ":")
printf "%s", "{"
printf "\"%s\" : \"%s\",",a[1], a[2]
printf "\"%s\" : \"%s\",",b[1], b[2]
#printf "%s",$3 ","
#printf "%s",$5 ","
#printf "%s",$4 ","
printf "\"%s\" : %s,",c[1], c[2]
printf "\"%s\" : %s,",d[1], d[2]
split(m[10], e, "\"")
printf " \"reason\": \"%s %s %s %s %s\"}\n", m[6], m[7], m[8], m[9], e[2
]
}
#############################################
On 10 January 2018 at 17:53, mohit Agrawal <mohit3081989 at gmail.com> wrote:
> Thanks Aziz for this, I get your point, but can we do awking in fluentd
> cons file ? Basically we are looking for realtime awking a nginx error log
> file, how heavy this would be according to you.
>
> On 10 January 2018 at 17:44, Aziz Rozyev <arozyev at nginx.com> wrote:
>
>> If you need parse exactly the same format, as you’ve shown in you
>> question, it’s fairly easy to create something e.g. perl/awk/sed script.
>>
>> for instance:
>>
>> ################# tst.awk #################
>> BEGIN {FS = "," }
>> {
>> split($1, m, "\ ")
>> printf "%s", "{ "
>> printf "%s",$2
>> printf "%s",$3
>> printf "%s",$5
>> printf "%s",$4
>> printf "reason: %s %s %s %s \"%s\"\n", m[6], m[7], m[8], m[9], m[10]
>> print " }”
>>
>> }
>> #############################################
>>
>>
>> result:
>>
>> echo 2018/01/10 06:26:31 [error] 13485#13485: *64285471 limiting
>> connections by zone "rl_conn", client: xx.xx.xx.xx, server: www.xyz.com,
>> request: "GET /api/xyz HTTP/1.1", host: "www.xyz.com" | awk -f
>> /tmp/test.awk
>> { client: xx.xx.xx.xx server: www.xyz.com host: www.xyz.com request:
>> GET /api/xyz HTTP/1.1reason: limiting connections by zone "rl_conn"
>> }
>>
>>
>> br,
>> Aziz.
>>
>>
>>
>>
>>
>> > On 10 Jan 2018, at 14:45, mohit Agrawal <mohit3081989 at gmail.com> wrote:
>> >
>> > Yeah I have tried grok / regex pattern as well. But not extensive
>> success that I achieved. grok didn't work for me, I tried regex then it was
>> able to segregate time , pid, tid, log_level and message. I also need
>> message break up for above pattern
>> >
>> > On 10 January 2018 at 17:12, Aziz Rozyev <arozyev at nginx.com> wrote:
>> > Hi Mohit,
>> >
>> > check the second reply. I’m not sure that there is a conventional
>> pretty printing
>> > tools for nginx error log.
>> >
>> >
>> > br,
>> > Aziz.
>> >
>> >
>> >
>> >
>> >
>> > > On 10 Jan 2018, at 14:37, mohit Agrawal <mohit3081989 at gmail.com>
>> wrote:
>> > >
>> > > Hi Aziz,
>> > >
>> > > log_format directive only provides formatting for access log, I am
>> looking to format error.log which doesn't take log_format directive.
>> > > Above example that I gave is just for nginx error logs.
>> > >
>> > > Thanks
>> > >
>> > > On 10 January 2018 at 15:26, Aziz Rozyev <arozyev at nginx.com> wrote:
>> > > btw, after re-reading the your questing, it looks like you need
>> something like logstash grok filter.
>> > >
>> > > br,
>> > > Aziz.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > > On 10 Jan 2018, at 11:45, mohit Agrawal <mohit3081989 at gmail.com>
>> wrote:
>> > > >
>> > > > Hi ,
>> > > >
>> > > > I am looking to parse nginx error log so as to find out which
>> particular IP is throttled during specific amount of time on connection
>> throttling / request throttling. The format looks like :
>> > > >
>> > > > 2018/01/10 06:26:31 [error] 13485#13485: *64285471 limiting
>> connections by zone "rl_conn", client: xx.xx.xx.xx, server: www.xyz.com,
>> request: "GET /api/xyz HTTP/1.1", host: "www.xyz.com"
>> > > > And the sample that I am looking for is :
>> > > >
>> > > > {client: "xx.xx.xx.xx", server: "www.xyz.com", host: "www.xyz.com",
>> "request": "GET /api/xyz HTTP/1.1", reason: "limiting connections by zone
>> "rl_conn""}
>> > > > so that I can pass it through ELK stack and find out the root ip
>> which is causing issue.
>> > > >
>> > > >
>> > > > --
>> > > > Mohit Agrawal
>> > > > _______________________________________________
>> > > > nginx mailing list
>> > > > nginx at nginx.org
>> > > > http://mailman.nginx.org/mailman/listinfo/nginx
>> > >
>> > > _______________________________________________
>> > > nginx mailing list
>> > > nginx at nginx.org
>> > > http://mailman.nginx.org/mailman/listinfo/nginx
>> > >
>> > >
>> > >
>> > > --
>> > > Mohit Agrawal
>> >
>> >
>> >
>> >
>> > --
>> > Mohit Agrawal
>>
>>
>
>
> --
> Mohit Agrawal
>
--
Mohit Agrawal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180110/ff0ba632/attachment-0001.html>
More information about the nginx
mailing list