Apache & Nginx Structure

InsightOps will automatically identify and index fields within your Apache and Nginx log events. Keys are automatically highlighted and clickable. Clicking on a field will populate the search bar to allow for quick searching of across your data.

basic

Parsing

If we take a normal Apache log example in this format:

192.0.2.1 - Ultan [07/Mar/2004:16:43:54 -0800] "GET /unencrypted_password_list HTTP/1.1" 404 9001 "http://passwords.hackz0r" "Mozilla/4.08 [en] (Win95)"

We know that the format of apache access logs are:

*addr* - *user* *timestamp* "*method* *path* *version*" *status* *bytes* *referrer* *agent*

And you’ll be able to parse those implied keys immediately for groupby queries and calculations. So from the example above:

Implied Key

Value

addr

192.0.2.1

user

Ultan

timestamp

[07/Mar/2004:16:43:54 -0800]

method

GET

path

/unencrypted_password_list

version

HTTP/1.1

status

404

bytes

9001

referrer

“http://passwords.hackz0r”

agent

wouternieman@gmail.com

Using this data allows easier log searching, for example you can now carry out queries such as:

You can see when a referrer comes from a certain site with:

where(referrer="http://passwords.hackz0r")

You can see what urls are hit most often with

groupby(path) calculate(count) sort(desc)

You can see the average bytes sent with

calculate(average:bytes)

You can see which addresses you get hit from the most often with

calculate(count:addr) sort(desc)