Common Configuration Cookbooks
1. Inputs
See: Using Decoders with Input Plugins
1.1. Syslog
Covered in Using Decoders with Input Plugins
1.2. Auditd Log
filename = "tail.lua"
ticker_interval = 1
follow = "name"
input_filename = "/var/log/audit.log"
decoder_module = "lpeg.logfmt"
send_decode_failures = true
1.3. Nginx Access Log
filename = "tail.lua"
ticker_interval = 1
follow = "name"
input_filename = "/var/log/nginx/access.log"
log_format = '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"',
decoder_module = { { {"common_log_format#build_nginx_grammar", log_format}, nil}}
send_decode_failures = true
1.4. Nginx Error Log
filename = "tail.lua"
ticker_interval = 1
follow = "name"
input_filename = "/var/log/nginx/error.log"
decoder_module = "lpeg.common_log_format#nginx_error_grammar"
send_decode_failures = true
1.5. MySQL Slow Query Log
filename = "tail.lua"
ticker_interval = 1
follow = "name"
input_filename = "/var/log/mysql/slow-query.log"
delimiter = "^# User@Host:"
decoder_module = "lpeg.mysql#slow_query_grammar"
send_decode_failures = true
1.6. Apache Access Log
filename = "tail.lua"
ticker_interval = 1
follow = "name"
input_filename = "/var/log/apache/access.log"
log_format = '%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"'
decoder_module = { { {"common_log_format#build_apache_grammar", log_format}, nil}}
send_decode_failures = true
1.7. Pfsense 2.2+
filename = "udp.lua"
instruction_limit = 0
address = "*"
port = 4514 -- since pfsense sends non-standard syslog message assign them to a different port
decoder_module = "decoders.syslog"
send_decode_failures = true
log_format = 'nginx: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
decoders_syslog = {
template = "<%PRI%>%TIMESTAMP% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%",
sub_decoders = {
filterlog = "lpeg.bsd.filterlog",
["hostname.example.com"] = {
{ {"lpeg.common_log_format#build_nginx_grammar", log_format}, nil}
}
}
}