Extending Parsers for Custom Access Logs
It is natural to want more fields in your logs, and if you are using our recommended key-value format, as seen in the section NGINX Server Configuration, you can add new fields to your logs without needing to change parsers.
Adding new key-value pairs to the log formatting means the existing access log parser automatically picks them up.
When adding new fields, it is good practice to add quotes around the values, in case they contain spaces. You can also create different parsers if you prefer a different log format, and still be able to use dashboards and searches from this package.
The only requirements are that the fields in the table below are present, and that the access logs get tagged as such. To tag the data, your parser should add a field to each log event:
#event.dataset = "nginx.access"And then configure the parser to use this field as a tag see Event Tags. These are the fields the package is currently expecting access logs to contain:
Table: Default Access Log Mapping
| Parser Field | Format String |
|---|---|
| client | $remote_addr |
| userid | $remote_user |
| timestamp | $time_local |
| method | part of $request |
| url | part of $request |
| httpversion | part of $request |
| status | $status |
| body_bytes_sent | $body_bytes_sent |
| referer | $http_referer |
| user_agent | $http_user_agent |
Table: Additional Field Mapping for Custom Access Log Format
| Parser Field | Format String |
|---|---|
| userid | $remote_user |
| httpversion | part of $request |
Additionally, these fields are extracted from the default combined access log format, but are not currently used: