Grok pattern for Nginx error logs

Nginx allow for the underscore domain as a default so you need to add a new pattern first:


And this pattern should then work:

^(?<timestamp>%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}(?:, client: (?<client>%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOSTORUNDERSCORE:server})(?:, request: %{QS:request})?(?:, upstream: "%{URI:upstream}")?(?:, host: %{QS:host})?(?:, referrer: "%{URI:referrer}")?$

This was tested with this line:

2017/07/19 11:30:12 [error] 94692#94692: *66 directory index of "/home/XYZ/" is forbidden, client:, server: _, request: "GET / HTTP/1.1", host: ""