{"name":"Nginx content pack for analysis in Grafana","description":"Nginx content pack for analysis in Grafana\n\nGrafana Dashboard: https://grafana.com/dashboards/8486\n\nHow-to on Russian: https://itcrowd.top/graylog-nginx-grafana\n\nConfiguring nginx\n\nAdd this in \"/etc/nginx/nginx.conf\" and restart server.\n\nReplace IP-Address to own: \n\nlog_format graylog2_format '$remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\" \"$http_x_forwarded_for\" $\n\naccess_log syslog:server=Graylog IP-Address:11004 graylog2_format;\n\nerror_log syslog:server=Graylog IP-Address:11005;","category":"Nginx Web Server","inputs":[{"id":"5bc5cbee0d1e58485c0bb5dc","title":"nginx error_log","configuration":{"expand_structured_data":false,"recv_buffer_size":1048576,"port":11005,"override_source":"","force_rdns":false,"allow_override_date":true,"bind_address":"0.0.0.0","store_full_message":false},"static_fields":{"from_nginx":"true","nginx_error":"true"},"type":"org.graylog2.inputs.syslog.udp.SyslogUDPInput","global":false,"extractors":[{"title":"Timestamp","type":"REGEX","cursor_strategy":"COPY","target_field":"timestamp","source_field":"message","configuration":{"regex_value":"^.*:\\s(\\d\\d\\d\\d/\\d\\d/\\d\\d\\s\\d\\d:\\d\\d:\\d\\d)\\s.*$"},"converters":[{"type":"DATE","configuration":{"date_format":"yyyy/MM/dd HH:mm:ss "}}],"condition_type":"NONE","condition_value":"","order":0},{"title":"server","type":"REGEX","cursor_strategy":"COPY","target_field":"server","source_field":"message","configuration":{"regex_value":"server:\\s(.+?)(,|$)"},"converters":[],"condition_type":"STRING","condition_value":"server","order":0},{"title":"remote_addr/client","type":"REGEX","cursor_strategy":"COPY","target_field":"remote_addr","source_field":"message","configuration":{"regex_value":"client:\\s(.+?)(,|$)"},"converters":[],"condition_type":"STRING","condition_value":"client","order":0},{"title":"host","type":"REGEX","cursor_strategy":"COPY","target_field":"host","source_field":"message","configuration":{"regex_value":"host:\\s\"(.+?)\"(,|$)"},"converters":[],"condition_type":"STRING","condition_value":"host","order":0},{"title":"request_path/request","type":"REGEX","cursor_strategy":"COPY","target_field":"request_path","source_field":"message","configuration":{"regex_value":"request:\\s\"(.+?)\"(,|$)"},"converters":[],"condition_type":"STRING","condition_value":"request","order":0},{"title":"request_verb","type":"REGEX","cursor_strategy":"COPY","target_field":"request_verb","source_field":"message","configuration":{"regex_value":"request:\\s\"(GET|HEAD|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT|PATCH).+\"(,|$)"},"converters":[],"condition_type":"STRING","condition_value":"request","order":0}]},{"id":"5bc5cbee0d1e58485c0bb5e6","title":"nginx access_log","configuration":{"expand_structured_data":false,"recv_buffer_size":1048576,"port":11004,"override_source":"","force_rdns":false,"allow_override_date":true,"bind_address":"0.0.0.0","store_full_message":false},"static_fields":{"from_nginx":"true","nginx_access":"true"},"type":"org.graylog2.inputs.syslog.udp.SyslogUDPInput","global":false,"extractors":[{"title":"Remote Address","type":"REGEX","cursor_strategy":"COPY","target_field":"remote_addr","source_field":"message","configuration":{"regex_value":"nginx:\\s+(\\S+)"},"converters":[],"condition_type":"REGEX","condition_value":"^\\S+\\s+nginx:","order":0},{"title":"Remote User","type":"REGEX","cursor_strategy":"COPY","target_field":"remote_user","source_field":"message","configuration":{"regex_value":"nginx: \\S+ - (\\S+)"},"converters":[],"condition_type":"REGEX","condition_value":"^\\S+\\s+nginx:","order":2},{"title":"Request Timestamp","type":"REGEX","cursor_strategy":"COPY","target_field":"timestamp","source_field":"message","configuration":{"regex_value":"nginx:.+?\\[(.+?)\\]"},"converters":[{"type":"DATE","configuration":{"date_format":"dd/MMM/YYYY:HH:mm:ss Z"}}],"condition_type":"REGEX","condition_value":"^\\S+\\s+nginx:","order":1},{"title":"Request Verb","type":"REGEX","cursor_strategy":"COPY","target_field":"request_verb","source_field":"message","configuration":{"regex_value":"nginx:.+\\[.+\\] \"(\\S+)"},"converters":[],"condition_type":"REGEX","condition_value":"^\\S+\\s+nginx:","order":3},{"title":"Request Path","type":"REGEX","cursor_strategy":"COPY","target_field":"request_path","source_field":"message","configuration":{"regex_value":"nginx:.+?\"\\S+ (\\S+).+\""},"converters":[{"type":"NUMERIC","configuration":{}}],"condition_type":"REGEX","condition_value":"^\\S+\\s+nginx:","order":4},{"title":"HTTP Version","type":"REGEX","cursor_strategy":"COPY","target_field":"http_version","source_field":"message","configuration":{"regex_value":"nginx:.+HTTP/(\\S+)\""},"converters":[],"condition_type":"REGEX","condition_value":"^\\S+\\s+nginx:","order":5},{"title":"Response Status","type":"REGEX","cursor_strategy":"COPY","target_field":"response_status","source_field":"message","configuration":{"regex_value":"nginx:.+?HTTP/\\S+\" (\\d+)"},"converters":[{"type":"NUMERIC","configuration":{}}],"condition_type":"REGEX","condition_value":"^\\S+\\s+nginx:","order":6},{"title":"Response Bytes","type":"REGEX","cursor_strategy":"COPY","target_field":"response_bytes","source_field":"message","configuration":{"regex_value":"nginx:.+?HTTP/\\S+\" \\d+ (\\d+)"},"converters":[{"type":"NUMERIC","configuration":{}}],"condition_type":"REGEX","condition_value":"^\\S+\\s+nginx:","order":7},{"title":"HTTP Referer","type":"REGEX","cursor_strategy":"COPY","target_field":"http_referer","source_field":"message","configuration":{"regex_value":"nginx:.+?HTTP/\\S+\" \\d+ \\d+ \"(.+?)\""},"converters":[],"condition_type":"REGEX","condition_value":"^\\S+\\s+nginx:","order":9},{"title":"HTTP User Agent","type":"REGEX","cursor_strategy":"COPY","target_field":"http_user_agent","source_field":"message","configuration":{"regex_value":"nginx:.+?HTTP/\\S+\" \\d+ \\d+ \".+?\" \"(.+?)\""},"converters":[],"condition_type":"REGEX","condition_value":"^\\S+\\s+nginx:","order":8},{"title":"Connection ID","type":"REGEX","cursor_strategy":"COPY","target_field":"connection_id","source_field":"message","configuration":{"regex_value":"connection=(.+?)\\|"},"converters":[{"type":"NUMERIC","configuration":{}}],"condition_type":"REGEX","condition_value":".+connection=.+","order":10},{"title":"Connection requests","type":"REGEX","cursor_strategy":"COPY","target_field":"connection_requests","source_field":"message","configuration":{"regex_value":"connection_requests=(.+?)\\|"},"converters":[{"type":"NUMERIC","configuration":{}}],"condition_type":"REGEX","condition_value":".+connection_requests=.+","order":11},{"title":"Response time","type":"REGEX","cursor_strategy":"COPY","target_field":"millis","source_field":"message","configuration":{"regex_value":"millis=(.+?)>"},"converters":[{"type":"NUMERIC","configuration":{}}],"condition_type":"REGEX","condition_value":".+millis=.+","order":12},{"title":"Message","type":"REGEX","cursor_strategy":"COPY","target_field":"message","source_field":"message","configuration":{"regex_value":"nginx:.+?\\\"(\\S+.+HTTP\\/\\S+)\\\" \\d+"},"converters":[],"condition_type":"REGEX","condition_value":"^\\S+\\s+nginx:","order":13},{"title":"Nginx Domain Name","type":"REGEX","cursor_strategy":"COPY","target_field":"nginx_domain_name","source_field":"http_referer","configuration":{"regex_value":"://(.+?)/"},"converters":[],"condition_type":"NONE","condition_value":"","order":14},{"title":"User Browser","type":"REGEX","cursor_strategy":"COPY","target_field":"user_browser","source_field":"http_user_agent","configuration":{"regex_value":"(.+?)/"},"converters":[],"condition_type":"NONE","condition_value":"","order":15}]}],"streams":[{"id":"547b2a2dd4c6c10b4f1b93ce","title":"nginx HTTP 404s","description":"All requests that were answered with a HTTP 404 by nginx","disabled":false,"matching_type":"AND","stream_rules":[{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"response_status","value":"404","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"response_status","value":"404","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"response_status","value":"404","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"response_status","value":"404","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"response_status","value":"404","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"response_status","value":"404","inverted":false,"description":""}],"outputs":[],"default_stream":false},{"id":"5445733cd4c6d7d480b5f48b","title":"nginx errors","description":"All requests that were logged into the nginx error_log","disabled":false,"matching_type":"AND","stream_rules":[{"type":"EXACT","field":"nginx_error","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"nginx_error","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"nginx_error","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"nginx_error","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"nginx_error","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"nginx_error","value":"true","inverted":false,"description":""}],"outputs":[],"default_stream":false},{"id":"5445736fd4c6d7d480b5f4c2","title":"nginx requests","description":"All requests that were logged into the nginx access_log","disabled":false,"matching_type":"AND","stream_rules":[{"type":"EXACT","field":"nginx_access","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"nginx_access","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"nginx_access","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"nginx_access","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"nginx_access","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"nginx_access","value":"true","inverted":false,"description":""}],"outputs":[],"default_stream":false},{"id":"547b2a77d4c6c10b4f1b941f","title":"nginx HTTP 5XXs","description":"All requests that were answered with a HTTP code in the 500 range by nginx","disabled":false,"matching_type":"AND","stream_rules":[{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"499","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"499","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"499","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"499","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"499","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"499","inverted":false,"description":""}],"outputs":[],"default_stream":false},{"id":"547b2ad4d4c6c10b4f1b9485","title":"nginx HTTP 4XXs","description":"All requests that were answered with a HTTP code in the 400 range by nginx","disabled":false,"matching_type":"AND","stream_rules":[{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"399","inverted":false,"description":""},{"type":"SMALLER","field":"response_status","value":"500","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"399","inverted":false,"description":""},{"type":"SMALLER","field":"response_status","value":"500","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"399","inverted":false,"description":""},{"type":"SMALLER","field":"response_status","value":"500","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"399","inverted":false,"description":""},{"type":"SMALLER","field":"response_status","value":"500","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"399","inverted":false,"description":""},{"type":"SMALLER","field":"response_status","value":"500","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"GREATER","field":"response_status","value":"399","inverted":false,"description":""},{"type":"SMALLER","field":"response_status","value":"500","inverted":false,"description":""}],"outputs":[],"default_stream":false},{"id":"547b29b6d4c6c10b4f1b934d","title":"nginx","description":"All requests that were logged into the nginx access_log or nginx_error_log","disabled":false,"matching_type":"AND","stream_rules":[{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""},{"type":"EXACT","field":"from_nginx","value":"true","inverted":false,"description":""}],"outputs":[],"default_stream":false}],"outputs":[],"dashboards":[{"title":"nginx overview","description":"Overview of requests handled by nginx","dashboard_widgets":[{"description":"Response codes last hour","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":3600},"field":"response_status","stream_id":"5445736fd4c6d7d480b5f4c2","query":"*"},"col":3,"row":4,"height":0,"width":0},{"description":"Response codes last 24h","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"response_status","stream_id":"5445736fd4c6d7d480b5f4c2","query":"*"},"col":2,"row":4,"height":0,"width":0},{"description":"Requests last 24h","type":"SEARCH_RESULT_CHART","cache_time":10,"configuration":{"interval":"minute","timerange":{"type":"relative","range":86400},"stream_id":"5445736fd4c6d7d480b5f4c2","query":"*"},"col":2,"row":1,"height":0,"width":0},{"description":"Requests last 24h","type":"STREAM_SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"stream_id":"5445736fd4c6d7d480b5f4c2","query":"*"},"col":1,"row":1,"height":0,"width":0},{"description":"HTTP versions last 24h","type":"QUICKVALUES","cache_time":300,"configuration":{"timerange":{"type":"relative","range":86400},"field":"http_version","stream_id":"5445736fd4c6d7d480b5f4c2","query":"*"},"col":1,"row":4,"height":0,"width":0},{"description":"HTTP 5XXs last 24h","type":"STREAM_SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"stream_id":"547b2a77d4c6c10b4f1b941f","query":"*"},"col":1,"row":3,"height":0,"width":0},{"description":"HTTP 4XXs last 24h","type":"STREAM_SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"stream_id":"547b2ad4d4c6c10b4f1b9485","query":"*"},"col":1,"row":2,"height":0,"width":0},{"description":"HTTP 4XXs last 24h","type":"SEARCH_RESULT_CHART","cache_time":10,"configuration":{"interval":"minute","timerange":{"type":"relative","range":86400},"stream_id":"547b2ad4d4c6c10b4f1b9485","query":"*"},"col":2,"row":2,"height":0,"width":0},{"description":"HTTP 5XXs last 24h","type":"SEARCH_RESULT_CHART","cache_time":10,"configuration":{"interval":"minute","timerange":{"type":"relative","range":86400},"stream_id":"547b2a77d4c6c10b4f1b941f","query":"*"},"col":2,"row":3,"height":0,"width":0}]}],"grok_patterns":[],"lookup_tables":[],"lookup_caches":[],"lookup_data_adapters":[]}