Browse Source

graylog instructions readme

tobi 1 year ago
1 changed files with 27 additions and 0 deletions
  1. +27

+ 27
- 0 View File

@@ -50,3 +50,30 @@ notice the following things
* we define servicename.namespace.serviceclass.cluster.local as the full url nginx should give to the resolver we configured. this is based on the standard directives kubernetes sets in the resolv.conf of each pod. From inside a pod you may be able to just do `ping wiki`, that only works because in the resolv.conf there are a couple of settings that always try to append stuff like .tobias-huebner.svc.cluster.local, .svc.cluster.local
* we pass it to $endnpoint$request_uri, per default the request uri isnt passed, but since nginx sets that variable always we can just concat the two

# Logging to Graylog

We use this to pipe all access logs to our graylog syslog udp input.
http {
log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
'"remote_addr": "$remote_addr", '
'"body_bytes_sent": $body_bytes_sent, '
'"request_time": $request_time, '
'"response_status": $status, '
'"request": "$request", '
'"request_method": "$request_method", '
'"host": "$host",'
'"upstream_cache_status": "$upstream_cache_status",'
'"upstream_addr": "$upstream_addr",'
'"http_x_forwarded_for": "$http_x_forwarded_for",'
'"http_referrer": "$http_referer", '
'"http_user_agent": "$http_user_agent" }';

access_log graylog2_json;


On our graylog server we want to create a dedicated udp syslog input. We also want to add two extractors, one on the field "message" using the pattern `nginx:\s+(.*)`;

Now all thats left is to add the default JSON extractor on the field generated by the previous extractor.