CLAassistant
commented
7 years ago
All committers have signed the CLA.
Open kwisatz opened 7 years ago
CLAassistant
commented
7 years ago
All committers have signed the CLA.
jalogisch
commented
7 years ago Hej @kwisatz I'll look into this.
First thank you for the contribution!
Maybe you want to elaborate why not writing direct in a json format when you need to change the log format.
log_format json escape=json '{ "@timestamp": "$time_iso8601", '
'"@fields": { '
'"remote_addr": "$remote_addr", '
'"remote_user": "$remote_user", '
'"body_bytes_sent": "$body_bytes_sent", '
'"request_time": "$request_time", '
'"status": "$status", '
'"request": "$request", '
'"request_method": "$request_method", '
'"vhost": "$host",'
'"http_x_forwarded_for": "$http_x_forwarded_for",'
'"http_referrer": "$http_referer", '
'"http_user_agent": "$http_user_agent" } }';Additional the escape=json available for NGINX 1.11.8 and later will make the exploit not easy. And if using JSON Logfile the regex to extract the information are not needed. That should speed up the work with the messages.
Maybe you like to make your modification available as a second option and not overwrite the default content pack that is working for most users.
Additional you might want to add the JSON Information the to README.
See #6
I'm afraid I'll need a little guidance here. I created this by exporting the extracts for the nginx_access_log input. It looks different from the original content-pack json though. Is there another procedure to create content-pack json or has this simply changed over the versions?