Hi all,
reading the docs I got into this config:
source s_apache_access_log {
file(
"/var/logs/apache2/access_log"
follow-freq(1)
flags(no-parse)
);
};
filter f_apache_access_log {
match(
'(.*) (.*) - - \[[0-9]{2}\/[A-Z][a-z]{2}\/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2} -0300\] \"(.*) (.*) (.*)\" (.*) (.*) \"-\" (.*)'
type("pcre")
flags("store-matches")
);
};
rewrite r_apache_access_log {
set("$1", value("DOMAIN") condition(filter(f_apache_access_log)));
set("$2", value("IP") condition(filter(f_apache_access_log)));
set("$3", value("HTTP_METHOD") condition(filter(f_apache_access_log)));
set("$4", value("URI") condition(filter(f_apache_access_log)));
set("$6", value("HTTP_STATUS") condition(filter(f_apache_access_log)));
set("$7", value("SIZE") condition(filter(f_apache_access_log)));
set("$8", value("USER_AGENT") condition(filter(f_apache_access_log)));
};
destination d_apache_access_log {
mongodb(
#
https://docs.mongodb.com/manual/reference/connection-string/ persist-name("apache-access-logs")
uri("mongodb://$server_and_port/syslog?wtimeoutMS=60000&socketTimeoutMS=60000&connectTimeoutMS=60000")
collection("logs")
retries(3600)
value-pairs(
pair("HOST", "${HOST}")
pair("SERVICE", "APACHE")
pair("DATE", "${DAY}/${MONTH}/${YEAR}")
pair("TIME", "${HOUR}:${MIN}")
pair("MESSAGE", "${MESSAGE}")
pair("DOMAIN", "${DOMAIN}")
pair("HTTP_STATUS", "${HTTP_STATUS}")
pair("HTTP_METHOD", "${HTTP_METHOD}")
pair("USER_AGENT", "${USER_AGENT}")
pair("SIZE", "${SIZE}")
pair("URI", "${URI}")
pair("IP", "${IP}")
)
);
};
log {
source(s_apache_access_log);
filter(f_apache_access_log);
rewrite(r_apache_access_log);
destination(d_apache_access_log);
};
but I think something is not ok, I'm not sure this is the right way to do it.