{ "name": "nginx-docker", "description": "This content pack supports nginx running in docker, sending JSON formatted log messages over GELF, allowing for arbitrary addition of fields without having to add regex extractors, as well as faster performance on the graylog side as it has reduced numbers of regexes running against the input compared with the original graylog version.\\n\\nIt then blanks the \\\"json\\\" field used as an intermediate step, and reduces the message field to just show the request path, reducing the storage requirements.", "category": "nginx", "inputs": [ { "id": "5b44826449b1040437bf8648", "title": "nginx logs", "configuration": { "override_source": null, "recv_buffer_size": 1048576, "bind_address": "0.0.0.0", "port": 12401, "decompress_size_limit": 8388608 }, "static_fields": { "from_nginx": "true" }, "type": "org.graylog2.inputs.gelf.udp.GELFUDPInput", "global": true, "extractors": [ { "title": "Extract JSON fields from gelf message", "type": "JSON", "cursor_strategy": "COPY", "target_field": "", "source_field": "message", "configuration": { "flatten": true, "list_separator": ", ", "kv_separator": "=", "key_prefix": "", "key_separator": "_", "replace_key_whitespace": false, "key_whitespace_replacement": "_" }, "converters": [], "condition_type": "REGEX", "condition_value": "^\\{", "order": 0 }, { "title": "Reduce message to path", "type": "REGEX_REPLACE", "cursor_strategy": "COPY", "target_field": "message", "source_field": "message", "configuration": { "replacement": "$1", "regex": ".*request\": \"(.*?)\".*" }, "converters": [], "condition_type": "REGEX", "condition_value": "^\\{", "order": 1 }, { "title": "[Error log] extract fields", "type": "GROK", "cursor_strategy": "COPY", "target_field": "", "source_field": "message", "configuration": { "grok_pattern": "^(?%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) \\[%{LOGLEVEL:severity}\\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}(?:, client: %{IPORHOST:client})(?:, server: %{IPORHOSTORUNDERSCORE:server})(?:, request: %{QS:request})?(?:, upstream: \"%{URI:upstream}\")?(?:, host: %{QS:host})?(?:, referrer: \"%{URI:referrer}\")?$", "named_captures_only": true }, "converters": [], "condition_type": "REGEX", "condition_value": "^(\\d{4}/\\d{2}/\\d{2} \\d{2}:\\d{2}:\\d{2}) \\[(\\w+)\\] (\\d+).(\\d+): (.*)$", "order": 2 }, { "title": "[Error log] Reduce error log to message only", "type": "REGEX_REPLACE", "cursor_strategy": "COPY", "target_field": "message", "source_field": "message", "configuration": { "regex": "^\\d{4}\\/\\d{2}\\/\\d{2} \\d{2}:\\d{2}:\\d{2} \\[\\w+\\] \\d+.\\d+: (.*?), client:.*$", "replacement": "$1", "replace_all": false }, "converters": [], "condition_type": "REGEX", "condition_value": "^(\\d{4}/\\d{2}/\\d{2} \\d{2}:\\d{2}:\\d{2}) \\[(\\w+)\\] (\\d+).(\\d+): (.*)$", "order": 3 } ] } ], "streams": [ { "id": "547b2a2dd4c6c10b4f1b93ce", "title": "nginx HTTP 404s", "description": "All requests that were answered with a HTTP 404 by nginx", "disabled": false, "matching_type": "AND", "stream_rules": [ { "type": "EXACT", "field": "from_nginx", "value": "true", "inverted": false, "description": "" }, { "type": "EXACT", "field": "response_status", "value": "404", "inverted": false, "description": "" } ], "outputs": [], "default_stream": false }, { "id": "5445733cd4c6d7d480b5f48b", "title": "nginx errors", "description": "All requests that were logged into the nginx error_log", "disabled": false, "matching_type": "AND", "stream_rules": [ { "type": "EXACT", "field": "from_nginx", "value": "true", "inverted": false, "description": "" }, { "type": "PRESENCE", "field": "nginx_access", "value": "", "inverted": true, "description": "" }, { "type": "REGEX", "field": "message", "value": "^(\\d{4}/\\d{2}/\\d{2} \\d{2}:\\d{2}:\\d{2}) \\[(\\w+)\\] (\\d+).(\\d+): (.*)$", "inverted": false, "description": "" } ], "outputs": [], "default_stream": false }, { "id": "5445736fd4c6d7d480b5f4c2", "title": "nginx requests", "description": "All requests that were logged into the nginx access_log", "disabled": false, "matching_type": "AND", "stream_rules": [ { "type": "EXACT", "field": "nginx_access", "value": "true", "inverted": false, "description": "" } ], "outputs": [], "default_stream": false }, { "id": "547b2a77d4c6c10b4f1b941f", "title": "nginx HTTP 5XXs", "description": "All requests that were answered with a HTTP code in the 500 range by nginx", "disabled": false, "matching_type": "AND", "stream_rules": [ { "type": "EXACT", "field": "from_nginx", "value": "true", "inverted": false, "description": "" }, { "type": "GREATER", "field": "response_status", "value": "499", "inverted": false, "description": "" } ], "outputs": [], "default_stream": false }, { "id": "547b2ad4d4c6c10b4f1b9485", "title": "nginx HTTP 4XXs", "description": "All requests that were answered with a HTTP code in the 400 range by nginx", "disabled": false, "matching_type": "AND", "stream_rules": [ { "type": "EXACT", "field": "from_nginx", "value": "true", "inverted": false, "description": "" }, { "type": "GREATER", "field": "response_status", "value": "399", "inverted": false, "description": "" }, { "type": "SMALLER", "field": "response_status", "value": "500", "inverted": false, "description": "" } ], "outputs": [], "default_stream": false }, { "id": "547b29b6d4c6c10b4f1b934d", "title": "nginx", "description": "All requests that were logged into the nginx access_log or nginx_error_log", "disabled": false, "matching_type": "AND", "stream_rules": [ { "type": "EXACT", "field": "from_nginx", "value": "true", "inverted": false, "description": "" } ], "outputs": [], "default_stream": false } ], "outputs": [], "dashboards": [ { "title": "nginx overview", "description": "Overview of requests handled by nginx", "dashboard_widgets": [ { "description": "Response codes last hour", "type": "QUICKVALUES", "cache_time": 10, "configuration": { "timerange": { "type": "relative", "range": 3600 }, "field": "response_status", "stream_id": "5445736fd4c6d7d480b5f4c2", "query": "*" }, "col": 3, "row": 4, "height": 3, "width": 1 }, { "description": "Response codes last 24h", "type": "QUICKVALUES", "cache_time": 10, "configuration": { "timerange": { "type": "relative", "range": 86400 }, "field": "response_status", "stream_id": "5445736fd4c6d7d480b5f4c2", "query": "*" }, "col": 2, "row": 4, "height": 3, "width": 1 }, { "description": "Requests last 24h", "type": "SEARCH_RESULT_CHART", "cache_time": 10, "configuration": { "interval": "minute", "timerange": { "type": "relative", "range": 86400 }, "stream_id": "5445736fd4c6d7d480b5f4c2", "query": "*" }, "col": 2, "row": 1, "height": 1, "width": 2 }, { "description": "Requests last 24h", "type": "STREAM_SEARCH_RESULT_COUNT", "cache_time": 10, "configuration": { "timerange": { "type": "relative", "range": 86400 }, "stream_id": "5445736fd4c6d7d480b5f4c2", "query": "*" }, "col": 1, "row": 1, "height": 1, "width": 1 }, { "description": "HTTP versions last 24h", "type": "QUICKVALUES", "cache_time": 300, "configuration": { "timerange": { "type": "relative", "range": 86400 }, "field": "http_version", "stream_id": "5445736fd4c6d7d480b5f4c2", "query": "*" }, "col": 1, "row": 4, "height": 3, "width": 1 }, { "description": "HTTP 5XXs last 24h", "type": "STREAM_SEARCH_RESULT_COUNT", "cache_time": 10, "configuration": { "timerange": { "type": "relative", "range": 86400 }, "stream_id": "547b2a77d4c6c10b4f1b941f", "query": "*" }, "col": 1, "row": 3, "height": 1, "width": 1 }, { "description": "HTTP 4XXs last 24h", "type": "STREAM_SEARCH_RESULT_COUNT", "cache_time": 10, "configuration": { "timerange": { "type": "relative", "range": 86400 }, "stream_id": "547b2ad4d4c6c10b4f1b9485", "query": "*" }, "col": 1, "row": 2, "height": 1, "width": 1 }, { "description": "HTTP 4XXs last 24h", "type": "SEARCH_RESULT_CHART", "cache_time": 10, "configuration": { "interval": "minute", "timerange": { "type": "relative", "range": 86400 }, "stream_id": "547b2ad4d4c6c10b4f1b9485", "query": "*" }, "col": 2, "row": 2, "height": 1, "width": 2 }, { "description": "HTTP 5XXs last 24h", "type": "SEARCH_RESULT_CHART", "cache_time": 10, "configuration": { "interval": "minute", "timerange": { "type": "relative", "range": 86400 }, "stream_id": "547b2a77d4c6c10b4f1b941f", "query": "*" }, "col": 2, "row": 3, "height": 1, "width": 2 }, { "description": "Map of requests", "type": "org.graylog.plugins.map.widget.strategy.MapWidgetStrategy", "cache_time": 10, "configuration": { "timerange": { "type": "relative", "range": 300 }, "field": "remote_addr_geolocation", "stream_id": "547b29b6d4c6c10b4f1b934d", "query": "" }, "col": 4, "row": 1, "height": 2, "width": 2 } ] } ], "grok_patterns": [ { "name": "HOUR", "pattern": "(?:2[0123]|[01]?[0-9])" }, { "name": "HOSTNAME", "pattern": "\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)" }, { "name": "IPV6", "pattern": "((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?" }, { "name": "IPV4", "pattern": "(?[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))" }, { "name": "URI", "pattern": "%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?" }, { "name": "YEAR", "pattern": "(?>\\d\\d){1,2}" }, { "name": "GREEDYDATA", "pattern": ".*" }, { "name": "POSINT", "pattern": "\\b(?:[1-9][0-9]*)\\b" }, { "name": "URIHOST", "pattern": "%{IPORHOST}(?::%{POSINT:port})?" }, { "name": "IPORHOST", "pattern": "(?:%{IP}|%{HOSTNAME})" }, { "name": "URIPROTO", "pattern": "[A-Za-z]+(\\+[A-Za-z+]+)?" }, { "name": "QS", "pattern": "%{QUOTEDSTRING}" }, { "name": "QUOTEDSTRING", "pattern": "(?>(?\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))" }, { "name": "URIPATHPARAM", "pattern": "%{URIPATH}(?:%{URIPARAM})?" }, { "name": "LOGLEVEL", "pattern": "([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)" }, { "name": "MONTHDAY", "pattern": "(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])" }, { "name": "MONTHNUM", "pattern": "(?:0?[1-9]|1[0-2])" }, { "name": "NUMBER", "pattern": "(?:%{BASE10NUM})" }, { "name": "SECOND", "pattern": "(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)" }, { "name": "TIME", "pattern": "(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])" }, { "name": "USER", "pattern": "%{USERNAME}" }, { "name": "USERNAME", "pattern": "[a-zA-Z0-9._-]+" }, { "name": "URIPATH", "pattern": "(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\\-]*)+" }, { "name": "URIPARAM", "pattern": "\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]<>]*" } ], "lookup_tables": [], "lookup_caches": [], "lookup_data_adapters": [] }