Filebeat nginx determine application name via context root

Question

I currently have filebeat reading nginx logs and pushing them to a logstash, I am trying to determine which application the log is coming from by looking at the URI context root (not sure if this is the correct way to do it), but the issue is when there is no context root. Logstash will parse the value right after the host.

Here is my nginx config.

server {
listen       443;
server_name  MyServer.com;
access_log /var/log/nginx/access_dev.log main if=$loggable;
error_log /var/log/nginx/error_dev.log;

ssl                  on;
ssl_certificate      ssl/bundle.pem;
ssl_certificate_key  ssl/wildcard.key;
ssl_session_timeout  5m;
proxy_ssl_verify     off;

ssl_protocols  TLSv1.2;
ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!aNULL;
ssl_prefer_server_ciphers   on;
add_header X-Forwarded-For $host;
add_header X-Forwarded-Proto $scheme;
add_header Host $host;

add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';

location / {
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header Host $host;
    proxy_pass https://app01.domain.local:443/;
}

location /applicationOne {
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header Host $host;
    proxy_read_timeout 120s;
    proxy_pass https://app02.domain.local:443;
}
}

Is it possible to add variables to the specific location and say what the application name is? So for location / I would add lets say "Portal" and then in the nginx log it will log "Portal" at then end?

Here is my current nginx.conf

http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for" -- 
  $sent_http_x_username';

  map $request_uri $loggable {
    default                                             1;
    ~*\.(ico|css|js|gif|jpg|jpeg|png|svg|woff|woff2|ttf|eot)$ 0;
  }

  access_log  /var/log/nginx/access.log  main;

  sendfile        on;
  #tcp_nopush     on;

  keepalive_timeout  65;

  #gzip  on;

  include /etc/nginx/conf.d/*.conf;
}

Example of what I am asking for with Portal on the end of a log.

198.143.37.12 - - [31/Jul/2019:10:44:13 -0400] "GET /nosession HTTP/1.1" 200 3890 "-" "Safari/14607.2.6.1.1 CFNetwork/978.0.7 Darwin/18.6.0 (x86_64)" "199.83.71.22" "Portal"

And if that is not possible are there any other ideas on how to solve this?

score 0 · Answer 1 · answered Jul 31 '19 at 19:37

0

I used the approach to add a header and then log that header.

In my

location / {
  add_header x-application "App Name";
}

In the nginx.conf

$sent_http_x_application

was added to log_fromat

answered Jul 31 '19 at 19:37

Justin

866
1
13
29

Filebeat nginx determine application name via context root

1 Answers1