Extending Parsers for Custom Access Logs

It is natural to want more fields in your logs, and if you are using our recommended key-value format, as seen in the section NGINX Server Configuration, you can add new fields to your logs without needing to change parsers.

Adding new key-value pairs to the log formatting means the existing access log parser automatically picks them up.

When adding new fields, it is good practice to add quotes around the values, in case they contain spaces. You can also create different parsers if you prefer a different log format, and still be able to use dashboards and searches from this package.

The only requirements are that the fields in the table below are present, and that the access logs get tagged as such. To tag the data, your parser should add a field to each log event:

shell
| logtype := "nginx-access-log"

And then configure the parser to use this field as a tag see Event Tags. These are the fields the package is currently expecting access logs to contain:

Table: Default Access Log Mapping

Parser Field Format String
client $remote_addr
userid $remote_user
timestamp $time_local
method part of $request
url part of $request
httpversion part of $request
status $status
body_bytes_sent $body_bytes_sent
referer $http_referer
user_agent $http_user_agent


Table: Additional Field Mapping for Custom Access Log Format

Parser Field Format String
userid $remote_user
httpversion part of $request


Additionally, these fields are extracted from the default combined access log format, but are not currently used: