Getting Nginx logs into Victoria-Logs – v2

Leave a Comment / FreeBSD, Monitoring, nginx, Open Source, syslog-ng, Victoria Logs / By /

VictoriaLogs is feature rich, which means at this point, I know very little about it.

I do know that the original syslog-ng configuration I supplied in Getting Nginx logs into Victoria-Logs is now less complicated. With the help of duck.ai, I managed to reduce it. Now it’s sending the json without running it through a parser.

In this post:

  • FreeBSD 15.1
  • syslog-ng-4.11.0_2
  • victoria-logs-1.50.0_2

The original configuration

The original configuration from the above post looked like this:

parser p_json {
    # Read the JSON from $MESSAGE because flags(no-parse) leaves $MSG empty
    json-parser(prefix(".json."));
};

source s_nginx_json {
    file("/var/log/nginx/access_json.log" flags(no-parse));
};

destination d_victorialogs_json {
    http(
        url("https://logs.int.unixathome.org:9428/insert/jsonline")
        method("POST")
 
        headers("Content-Type: application/x-ndjson")
        body("{\"_msg\":\"${.json._msg}\",\"_time\":\"${.json._time}\",\"_stream.app\":\"${.json._stream.app}\",\"status\":\"${.json.status}\",\"remote_addr\":\"${.json.remote_addr}\",\"body_bytes_sent\":\"${.json.body_bytes_sent}\",\"http_user_agent\":\"${.json.http_user_agent}\",\"request_time\":\"${.json.request_time}\",\"request_method\":\"${.json.request_method}\",\"host\":\"${.json.host}\",\"hostname\":\"${.json.hostname}\",\"server_name\":\"${.json.server_name}\"}\n")

        tls(
            peer-verify(yes)
        )

        # LOG LOSS PROTECTION:
        disk-buffer(
            disk-buf-size(1073741824)        # 1 GB max buffer storage size
            reliable(yes)                    # Synchronous disk writes protect against power loss
        )
        workers(2)
    );
};

log {
    source(s_nginx_json);
    parser(p_json);
    destination(d_victorialogs_json);
};

Of note: look at the body directive… all that text manipulation. There is an easier way.

The easier way

This is the new improved super duper syslog-ng configuration.

[11:47 aws-1 dvl /usr/local/etc] % tail -1 syslog-ng.conf                              
@include "/usr/local/etc/syslog-ng-nginx-simple-duck-duck.conf.works-fine"
[11:53 aws-1 dvl /usr/local/etc] % cat syslog-ng-nginx-simple-duck-duck.conf.works-fine
source s_nginx_json {
  file("/jails/nginx01/var/log/nginx/access_json.log" flags(no-parse) log-msg-size(65536));
};

destination d_debug_file {
  file("/tmp/victorialogs_debug.ndjson");
};

destination d_victorialogs_json {
  http(
    url("https://logs.int.unixathome.org:9428/insert/jsonline")
    method("POST")
    headers("Content-Type: application/json")
    body("${MESSAGE}\n")
    tls(peer-verify(yes))
  );
};

log {
  source(s_nginx_json);
  destination(d_debug_file);
  destination(d_victorialogs_json);
};
[11:53 aws-1 dvl /usr/local/etc] %

Notes:

  1. I’ve started using include statements in the syslog-ng configuration – it makes it much easier to save changes, copy them to a new file and refine.
  2. The source file is no longer parsed – it’s JSON; we use it. The parse declaration is gone.
  3. There is no text processing in the body declaration. The incoming log file is JSON, we send out it as JSON – no transformation.
  4. The content type is now json (was x-ndjson)
  5. I added a debug output – /tmp/victorialogs_debug.ndjson contains the output being sent to VictoriaLogs – this can be safely removed.

And it works. Hope this helps.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Related Posts

Leave a Comment

Scroll to Top