Apache & Nginx Structure
InsightOps will automatically identify and index fields within your Apache and Nginx log events. Keys are automatically highlighted and clickable. Clicking on a field will populate the search bar to allow for quick searching of across your data.
Parsing
If we take a normal Apache log example in this format:
192.0.2.1 - Ultan [07/Mar/2004:16:43:54 -0800] "GET /unencrypted_password_list HTTP/1.1" 404 9001 "http://passwords.hackz0r" "Mozilla/4.08 [en] (Win95)"
We know that the format of apache access logs are:
*addr* - *user* *timestamp* "*method* *path* *version*" *status* *bytes* *referrer* *agent*
And you’ll be able to parse those implied keys immediately for groupby queries and calculations. So from the example above:
Implied Key | Value |
|---|---|
addr | 192.0.2.1 |
user | Ultan |
timestamp | [07/Mar/2004:16:43:54 -0800] |
method | GET |
path | /unencrypted_password_list |
version | HTTP/1.1 |
status | 404 |
bytes | 9001 |
referrer | “http://passwords.hackz0r” |
agent | wouternieman@gmail.com |
Using this data allows easier log searching, for example you can now carry out queries such as:
You can see when a referrer comes from a certain site with:
where(referrer="http://passwords.hackz0r")
You can see what urls are hit most often with
groupby(path) calculate(count) sort(desc)
You can see the average bytes sent with
calculate(average:bytes)
You can see which addresses you get hit from the most often with
calculate(count:addr) sort(desc)