Nginx Custom Log help

Mastadon · November 26, 2021, 11:49pm

I’m trying to secure a cloudron server that runs NGINX as a proof of concept in an attempt to get Cloudron Dev’s to incorporate crowdsec as part of the build process. It seems that Cloudron uses a custom log format for NGINX and as such all my NGINX logs are showing up as “unparsed” in the metrics.
The NGINX.conf shows the following format

the collectd config depends on this log format

log_format combined2 '$remote_addr - [$time_local] '
    '"$request" $status $body_bytes_sent $request_time '
    '"$http_referer" "$host" "$http_user_agent"';

What can I do to get crowdsec to parse this format?

thibault · November 29, 2021, 8:30am

Hello @Mastadon !

If you have a custom log format for nginx, the best would be to copy the existing nginx parser and modify it for your needs. Once you have it figured out, it would be to open a pull request so that we can integrate it into the hub and make it available for all !

In order to make it work, here a few useful pointers :

Grab some sample logs : it will be very useful for testing.
If you are using the latest (1.2.1) crowdsec version, cscli explain will hopefully make your life easier (it’s a new feature, so feedback is appreciated !)
Otherwise, the “how to create parsers” documentation is what you might want to follow !

And when it comes to debugging the grok pattern itself grok debugger and debuggex are your friends as usual !

Hope this helps !

Topic		Replies	Views
NGiNX Logs in GELF JSON Format crowdsec	13	2853	November 17, 2020
Nginx logs not being parsed - cscli explain works crowdsec	1	689	January 31, 2023
Cscli metrics unparsed logs crowdsec	4	971	December 15, 2020
Not a standard directory for logs crowdsec	10	990	March 23, 2021
Using Crowdsec on Runcloud servers crowdsec	2	804	August 31, 2023

Nginx Custom Log help

the collectd config depends on this log format

Related Topics