12-nginx.conf

filter {
  if [type] == "nginx-access" {
    grok {
      match => { "message" => "- %{IP:client_ip} - %{DATA:username} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}%{URIPARAM:params} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:size:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "- %{IP:client_ip} - %{DATA:username} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:size:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{UUID:request_uuid} %{IP:client_ip} - %{DATA:username} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}%{URIPARAM:params} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:size:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{UUID:request_uuid} %{IP:client_ip} - %{DATA:username} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:size:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{IP:client_ip} - %{DATA:username} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page}%{URIPARAM:params} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:size:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
      match => { "message" => "%{IP:client_ip} - %{DATA:username} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATH:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response:int} %{NUMBER:size:float} %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:useragent}" }
    }
    mutate {
      # drop the ? from beginning of params (and elsewhere...)
      gsub => ["params", "\?", ""]
    }



    kv { 
      field_split => "&" 
      source => "params" 
    } 
    mutate {
      remove_field => [ "password", "password_confirmation", "params", "message"]
    }
    geoip {
      source => "client_ip"
    }
    date {
      match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
      timezone => "CET"
    }
#    mutate {
#      add_field => { "request_hostname" => "%{[geoip][longitude]}" }
#    }
#    dns {
#      reverse => [ "request_hostname"]
#      add_tag => [ "dns_lookup" ]
#      action => "replace"
#    }
  }
}