Grok pattern for Nginx error logs

Nginx allow for the underscore domain as a default so you need to add a new pattern first:

IPORHOSTORUNDERSCORE (?:%{HOSTNAME}|%{IP}|_)

And this pattern should then work:

^(?<timestamp>%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}(?:, client: (?<client>%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOSTORUNDERSCORE:server})(?:, request: %{QS:request})?(?:, upstream: "%{URI:upstream}")?(?:, host: %{QS:host})?(?:, referrer: "%{URI:referrer}")?$

This was tested with this line:

2017/07/19 11:30:12 [error] 94692#94692: *66 directory index of "/home/XYZ/" is forbidden, client: 192.168.1.109, server: _, request: "GET / HTTP/1.1", host: "192.168.20.2"

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.