New Relic can parse common log formats according to built-in rulesets, so that you don't have to create your own parsing rules. Here we present each log parsing ruleset, their Grok patterns, and what fields are parsed.
To enable built-in log parsing, see How to add the logtype
attribute.
Apache
Source
logtype = 'apache'
Grok
%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}
Results
Field Name | Meaning |
---|---|
| The IP address of the client |
| The HTTP verb |
| The user identity of the client making the request |
| The HTTP status code of the response |
| The URI and request being made |
| The HTTP version of the request |
| The raw HTTP request if data is posted |
| The number of bytes sent |
| The HTTP referrer |
| The client's user agent |
Application Load Balancer
Source
logtype = 'alb'
Grok
^%{NOTSPACE:type} %{TIMESTAMP_ISO8601:time} %{NOTSPACE:elb} %{NOTSPACE:client_ip}:%{NOTSPACE:client_port} ((%{NOTSPACE:target_ip}:%{NOTSPACE:target_port})|-) %{NOTSPACE:request_processing_time} %{NOTSPACE:target_processing_time} %{NOTSPACE:response_processing_time} %{NOTSPACE:elb_status_code} %{NOTSPACE:target_status_code} %{NOTSPACE:received_bytes} %{NOTSPACE:sent_bytes} "%{DATA:request}" "%{DATA:user_agent}" %{NOTSPACE:ssl_cipher} %{NOTSPACE:ssl_protocol} %{NOTSPACE:target_group_arn} "%{DATA:trace_id}" "%{NOTSPACE:domain_name}" "%{NOTSPACE:chosen_cert_arn}" %{NOTSPACE:matched_rule_priority} %{TIMESTAMP_ISO8601:request_creation_time} "%{NOTSPACE:actions_executed}" "%{NOTSPACE:redirect_url}" "%{NOTSPACE:error_reason}" (?:"|)%{DATA:target_port_list}(?:"|) (?:"|)%{DATA:target_status_code_list}(?:"|) "%{NOTSPACE:classification}" "%{NOTSPACE:classification_reason}"
Results
Field Name | Meaning |
---|---|
| The type of request or connection. Possible values are:
|
| The resource ID of the load balancer. If you are parsing access log entries, note that resources IDs can contain forward slashes ( |
| The IP address and port of the requesting client |
| The IP address and port of the target that processed this request. If the client didn't send a full request, the load balancer can't dispatch the request to a target, and this value is set to |
| The total time elapsed (in seconds, with millisecond precision) from the time the load balancer received the request until the time it sent it to a target. This value is set to |
| The total time elapsed (in seconds, with millisecond precision) from the time the load balancer sent the request to a target until the target started to send the response headers. This value is set to |
| The total time elapsed (in seconds, with millisecond precision) from the time the load balancer received the response header from the target until it started to send the response to the client. This includes both the queuing time at the load balancer and the connection acquisition time from the load balancer to the client. This value is set to |
| The status code of the response from the load balancer |
| The status code of the response from the target. This value is recorded only if a connection was established to the target and the target sent a response. Otherwise, it is set to |
| The size of the request, in bytes, received from the client (requester). For HTTP requests, this includes the headers. For WebSockets, this is the total number of bytes received from the client on the connection. |
| The size of the response, in bytes, sent to the client (requester). For HTTP requests, this includes the headers. For WebSockets, this is the total number of bytes sent to the client on the connection. |
| The HTTP verb of the request |
| The URI the request was targeting |
| The HTTP version number of the request |
| User-Agent string that identifies the client that originated the request, enclosed in double quotes. The string consists of one or more product identifiers, product/version. If the string is longer than 8 KB, it is truncated. |
| The SSL cipher. This value is set to |
| The SSL protocol. This value is set to |
| The Amazon Resource Name (ARN) of the target group |
| The contents of the |
| The SNI domain provided by the client during the TLS handshake, enclosed in double quotes. This value is set to - if the client doesn't support SNI or the domain doesn't match a certificate and the default certificate is presented to the client. |
| The ARN of the certificate presented to the client, enclosed in double quotes. This value is set to session-reused if the session is reused. This value is set to |
| The priority value of the rule that matched the request. If a rule matched, this is a value from |
| The time when the load balancer received the request from the client, in ISO 8601 format |
| The actions taken when processing the request, enclosed in double quotes. This value is a comma-separated list that can include the values described in Actions Taken. If no action was taken, such as for a malformed request, this value is set to |
| The URL of the redirect target for the location header of the HTTP response, enclosed in double quotes. If no redirect actions were taken, this value is set to |
| The error reason code, enclosed in double quotes. If the request failed, this is one of the error codes described in Error Reason Codes. If the actions taken do not include an authenticate action or the target is not a Lambda function, this value is set to |
Cloudfront
Source
logtype = 'cloudfront-web'
Grok
^%{NOTSPACE:date}%{SPACE}%{NOTSPACE:time}%{SPACE}%{NOTSPACE:x_edge_location}%{SPACE}%{NOTSPACE:sc_bytes}%{SPACE}%{NOTSPACE:c_ip}%{SPACE}%{NOTSPACE:cs_method}%{SPACE}%{NOTSPACE:cs_host}%{SPACE}%{NOTSPACE:cs_uri_stem}%{SPACE}%{NOTSPACE:sc_status}%{SPACE}%{NOTSPACE:cs_referer}%{SPACE}%{NOTSPACE:cs_user_agent}%{SPACE}%{NOTSPACE:cs_uri_query}%{SPACE}%{NOTSPACE:cs_Cookie}%{SPACE}%{NOTSPACE:x_edge_result_type}%{SPACE}%{NOTSPACE:x_edge_request_id}%{SPACE}%{NOTSPACE:x_host_header}%{SPACE}%{NOTSPACE:cs_protocol}%{SPACE}%{NOTSPACE:cs_bytes}%{SPACE}%{NOTSPACE:time_taken}%{SPACE}%{NOTSPACE:x_forwarded_for}%{SPACE}%{NOTSPACE:ssl_protocol}%{SPACE}%{NOTSPACE:ssl_cipher}%{SPACE}%{NOTSPACE:x_edge_response_result_type}%{SPACE}%{NOTSPACE:cs_protocol_version}%{SPACE}%{NOTSPACE:fle_status}%{SPACE}%{NOTSPACE:fle_encrypted_fields}%{SPACE}%{NOTSPACE:c_port}%{SPACE}%{NOTSPACE:time_to_first_byte}%{SPACE}%{NOTSPACE:x_edge_detailed_result_type}%{SPACE}%{NOTSPACE:sc_content_type}%{SPACE}%{NOTSPACE:sc_content_len}%{SPACE}%{NOTSPACE:sc_range_start}%{SPACE}%{NOTSPACE:sc_range_end}
Results
Field Name | Meaning |
---|---|
| The edge location that served the request. Each edge location is identified by a three-letter code and an arbitrarily assigned number, for example, DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location. (These abbreviations might change in the future.) |
| The total number of bytes that CloudFront served to the viewer in response to the request, including headers, for example, 1045619. For WebSocket connections, this is the total number of bytes sent from the server to the client through the connection. |
| The IP address of the viewer that made the request, either in IPv4 or IPv6 format. If the viewer used an HTTP proxy or a load balancer to send the request, the value of c-ip is the IP address of the proxy or load balancer. See also |
| The HTTP request method: DELETE, GET, HEAD, OPTIONS, PATCH, POST, or PUT. |
| The domain name of the CloudFront distribution, for example, |
| The portion of the URI that identifies the path and object, for example, |
| An HTTP status code (for example, 200). 000, which indicates that the viewer closed the connection (for example, closed the browser tab) before CloudFront could respond to a request. If the viewer closes the connection after CloudFront starts to send the response, the log contains the applicable HTTP status code. |
| The name of the domain that originated the request. Common referrers include search engines, other websites that link directly to your objects, and your own website. |
| The value of the User-Agent header in the request. The User-Agent header identifies the source of the request, such as the type of device and browser that submitted the request and, if the request came from a search engine, which search engine. |
| The query string portion of the URI, if any. When a URI doesn't contain a query string, this field's value is a hyphen (-). |
| The cookie header in the request, including name-value pairs and the associated attributes. If you enable cookie logging, CloudFront logs the cookies in all requests regardless of which cookies you choose to forward to the origin. When a request doesn't include a cookie header, this field's value is a hyphen (-). |
| How CloudFront classifies the response after the last byte left the edge location. In some cases, the result type can change between the time that CloudFront is ready to send the response and the time that CloudFront has finished sending the response. |
| An encrypted string that uniquely identifies a request. In the response header, this is |
| The value that the viewer included in the Host header for this request. This is the domain name in the request: If you're using the CloudFront domain name in your object URLs, this field contains that domain name. If you're using alternate domain names in your object URLs, such as http://example.com/logo.png, this field contains the alternate domain name, such as example.com. To use alternate domain names, you must add them to your distribution. |
| The protocol that the viewer specified in the request: http, https, ws, or wss. |
| The number of bytes of data that the viewer included in the request, including headers. For WebSocket connections, this is the total number of bytes sent from the client to the server on the connection. |
| The number of seconds (to the thousandth of a second, for example, 0.002) between the time that a CloudFront edge server receives a viewer's request and the time that CloudFront writes the last byte of the response to the edge server's output queue as measured on the server. From the perspective of the viewer, the total time to get the full object will be longer than this value due to network latency and TCP buffering. |
| If the viewer used an HTTP proxy or a load balancer to send the request, the value of c-ip in field 5 is the IP address of the proxy or load balancer. In that case, this field is the IP address of the viewer that originated the request. This field contains IPv4 and IPv6 addresses, as applicable. If the viewer did not use an HTTP proxy or a load balancer, the value of x-forwarded-for is a hyphen (-). |
| When cs-protocol in field 17 is https, this field contains the SSL/TLS protocol that the client and CloudFront negotiated for transmitting the request and response. Possible values include the following: SSLv3 TLSv1 TLSv1.1 TLSv1.2 When cs-protocol in field 17 is http, the value for this field is a hyphen (-). |
| When cs-protocol in field 17 is https, this field contains the SSL/TLS cipher that the client and CloudFront negotiated for encrypting the request and response. Possible values include the following:
|
| How CloudFront classified the response just before returning the response to the viewer. Possible values include:
|
| The HTTP version that the viewer specified in the request. Possible values include:
|
| When field-level encryption is configured for a distribution, this field contains a code that indicates whether the request body was successfully processed. If field-level encryption is not configured for the distribution, the value is a hyphen (-). |
| The number of fields that CloudFront encrypted and forwarded to the origin. CloudFront streams the processed request to the origin as it encrypts data, so fle-encrypted-fields can have a value even if the value of fle-status is an error. If field-level encryption is not configured for the distribution, the value of fle-encrypted-fields is a hyphen (-). |
| The port number of the request from the viewer. |
| The number of seconds between receiving the request and writing the first byte of the response, as measured on the server. |
| When x-edge-result-type is not Error, this field contains the same value as x-edge-result-type. When x-edge-result-type is Error, this field contains the specific type of error. |
| The value of the HTTP Content-Type header of the response. |
| The value of the HTTP Content-Length header of the response. |
| When the response contains the HTTP Content-Range header, this field contains the range start value. |
| When the response contains the HTTP Content-Range header, this field contains the range end value. |
Elastic Load Balancer
Source
logtype = 'elb'
Grok
^%{TIMESTAMP_ISO8601:time} %{NOTSPACE:elb} %{NOTSPACE:client_ip}:%{NOTSPACE:client_port} ((%{NOTSPACE:backend_ip}:%{NOTSPACE:backend_port})|-) %{NOTSPACE:request_processing_time} %{NOTSPACE:backend_processing_time} %{NOTSPACE:response_processing_time} %{NOTSPACE:elb_status_code} %{NOTSPACE:backend_status_code} %{NOTSPACE:received_bytes} %{NOTSPACE:sent_bytes} "%{DATA:request}" "%{DATA:user_agent}" %{NOTSPACE:ssl_cipher} %{NOTSPACE:ssl_protocol}
Results
Field Name | Meaning |
---|---|
| The edge location that served the request. Each edge location is identified by a three-letter code and an arbitrarily assigned number, for example, DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location. (These abbreviations might change in the future.) |
| The total number of bytes that CloudFront served to the viewer in response to the request, including headers, for example, 1045619. For WebSocket connections, this is the total number of bytes sent from the server to the client through the connection. |
| The IP address of the viewer that made the request. If the viewer used an HTTP proxy or a load balancer to send the request, the value of c-ip is the IP address of the proxy or load balancer. |
| The HTTP request method: DELETE, GET, HEAD, OPTIONS, PATCH, POST, or PUT. |
| The domain name of the CloudFront distribution, for example, d111111abcdef8.cloudfront.net. |
| The portion of the URI that identifies the path and object, for example, /images/cat.jpg. Question marks (?) in URLs and query strings are not included in the log. |
| An HTTP status code (for example, 200). 000, which indicates that the viewer closed the connection (for example, closed the browser tab) before CloudFront could respond to a request. If the viewer closes the connection after CloudFront starts to send the response, the log contains the applicable HTTP status code. |
| The name of the domain that originated the request. Common referrers include search engines, other websites that link directly to your objects, and your own website. |
| The value of the User-Agent header in the request. The User-Agent header identifies the source of the request, such as the type of device and browser that submitted the request and, if the request came from a search engine, which search engine. |
| The query string portion of the URI, if any. When a URI doesn't contain a query string, this field's value is a hyphen (-). |
| The cookie header in the request, including name-value pairs and the associated attributes. If you enable cookie logging, CloudFront logs the cookies in all requests regardless of which cookies you choose to forward to the origin. When a request doesn't include a cookie header, this field's value is a hyphen (-). |
| How CloudFront classifies the response after the last byte left the edge location. In some cases, the result type can change between the time that CloudFront is ready to send the response and the time that CloudFront has finished sending the response. |
| An encrypted string that uniquely identifies a request. In the response header, this is x-amz-cf-id. |
| The value that the viewer included in the Host header for this request. This is the domain name in the request: If you're using the CloudFront domain name in your object URLs, this field contains that domain name. If you're using alternate domain names in your object URLs, such as http://example.com/logo.png, this field contains the alternate domain name, such as example.com. To use alternate domain names, you must add them to your distribution. |
| The protocol that the viewer specified in the request: http, https, ws, or wss. |
| The number of bytes of data that the viewer included in the request, including headers. For WebSocket connections, this is the total number of bytes sent from the client to the server on the connection. |
| The number of seconds (to the thousandth of a second, for example, 0.002) between the time that a CloudFront edge server receives a viewer's request and the time that CloudFront writes the last byte of the response to the edge server's output queue as measured on the server. From the perspective of the viewer, the total time to get the full object will be longer than this value due to network latency and TCP buffering. |
| If the viewer used an HTTP proxy or a load balancer to send the request, the value of c-ip in field 5 is the IP address of the proxy or load balancer. In that case, this field is the IP address of the viewer that originated the request. This field contains IPv4 and IPv6 addresses, as applicable. If the viewer did not use an HTTP proxy or a load balancer, the value of x-forwarded-for is a hyphen (-). |
| When cs-protocol in field 17 is https, this field contains the SSL/TLS protocol that the client and CloudFront negotiated for transmitting the request and response. Possible values include the following: SSLv3 TLSv1 TLSv1.1 TLSv1.2 When cs-protocol in field 17 is http, the value for this field is a hyphen (-). |
| When cs-protocol in field 17 is https, this field contains the SSL/TLS cipher that the client and CloudFront negotiated for encrypting the request and response. Possible values include the following:
|
| How CloudFront classified the response just before returning the response to the viewer. Possible values are:
|
| The HTTP version that the viewer specified in the request. Possible values include:
|
| When field-level encryption is configured for a distribution, this field contains a code that indicates whether the request body was successfully processed. If field-level encryption is not configured for the distribution, the value of this field is a hyphen (-). When CloudFront successfully processes the request body, encrypts values in the specified fields, and forwards the request to the origin, the value of this field is Processed. The value of x-edge-result-type can still indicate a client-side or server-side error in this case. If the request exceeds a field-level encryption limit, fle-status contains one of the following error codes, and CloudFront returns HTTP status code 400 to the viewer. |
| The number of fields that CloudFront encrypted and forwarded to the origin. CloudFront streams the processed request to the origin as it encrypts data, so fle-encrypted-fields can have a value even if the value of fle-status is an error. If field-level encryption is not configured for the distribution, the value of fle-encrypted-fields is a hyphen (-). |
| The port number of the request from the viewer. |
| The number of seconds between receiving the request and writing the first byte of the response, as measured on the server. |
| When x-edge-result-type is not Error, this field contains the same value as x-edge-result-type. When x-edge-result-type is Error, this field contains the specific type of error. |
| The value of the HTTP Content-Type header of the response. |
| The value of the HTTP Content-Length header of the response. |
| When the response contains the HTTP Content-Range header, this field contains the range start value. |
| When the response contains the HTTP Content-Range header, this field contains the range end value. |
Microsoft IIS
Source
logtype = 'iis_w3c
'
Grok
%{TIMESTAMP_ISO8601:log_timestamp} %{NOTSPACE:server_ip} %{WORD:method} %{NOTSPACE:uri} %{NOTSPACE:uri_query} %{NOTSPACE:server_port} %{NOTSPACE:username} %{NOTSPACE:client_ip} %{NOTSPACE:user_agent} %{NOTSPACE:referer} %{NOTSPACE:status} %{NOTSPACE:substatus} %{NOTSPACE:win32_status} %{NOTSPACE:time_taken}
Monit
Source
logtype = 'monit'
Grok
\\[%{NOTSPACE:tz} %{SYSLOGTIMESTAMP:nr_timestamp}\\] %{WORD:state}%{SPACE}: %{GREEDYDATA:message}
Results
Field Name | Meaning |
---|---|
| The severity of the log line |
| The message |
MySQL Error
Source
logtype = 'mysql-error'
Grok
\\[%{WORD:log_level}\\]
Results
Field Name | Meaning |
---|---|
| The severity of the log line |
NGINX
Source
logtype = 'nginx'
Grok
%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent}
Results
Field Name | Meaning |
---|---|
| The IP address of the client |
| The HTTP verb |
| The user identity of the client making the request |
| The HTTP status code of the response |
| The URI and request being made |
| The HTTP version of the request |
| The raw HTTP request if data is posted |
| The number of bytes sent |
| The HTTP referrer |
| The client's user agent |
NGINX Error
Source
logtype = 'nginx-error'
Grok
^(?<timestamp>%{YEAR:year}[./-]%{MONTHNUM:month}[./-]%{MONTHDAY:day}[- ]%{TIME:time}) \\[%{LOGLEVEL:severity}\\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}(?:, client: (?<client>%{IP:clientip}|%{HOSTNAME:hostname}))(?:, server: %{IPORHOSTORUNDERSCORE:server})(?:, request: %{QS:request})?(?:, upstream: \"%{URI:upstream}\")?(?:, host: %{QS:host})?(?:, referrer: \"%{URI:referrer}\")?$
Results
Field Name | Meaning |
---|---|
| The severity of the log line |
| The server process id |
| The error's message |
| The IP address of the calling client |
| The server IP address |
| The full request |
| The upstream URI |
| The server's hostname |
| The HTTP referrer |
Route 53
Source
logtype = 'route-53''
Grok
%{NUMBER:log_format_version} %{TIMESTAMP_ISO8601} %{WORD:zone_id} %{IPORHOST:query} %{WORD:query_type} %{WORD:response_code} %{WORD:protocol} %{WORD:edge_location} %{IP:resolver_ip} %{GREEDYDATA:edns_client_subnet}
Results
Field Name | Meaning |
---|---|
| A versioned format for the log |
| The ID of the hosted zone that is associated with all the DNS queries in this log |
| The domain or subdomain that was specified in the request |
| Either the DNS record type that was specified in the request, or ANY |
| The DNS response code that Route 53 returned in response to the DNS query |
| The protocol that was used to submit the query, either TCP or UDP |
| The Route 53 edge location that responded to the query. Each edge location is identified by a three-letter code and an arbitrary number, for example, DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location. (These abbreviations might change in the future.) |
| The IP address of the DNS resolver that submitted the request to Route 53 |
| A partial IP address for the client that the request originated from, if available from the DNS resolver |
Syslog RFC-5424
Source
logtype = 'syslog-rfc5424'
Grok
<%{NONNEGINT:pri}>%{NONNEGINT:version} +(?:%{TIMESTAMP_ISO8601:log.timestamp}|-) +(?:%{HOSTNAME:hostname}|-) +(?:\\-|%{NOTSPACE:app.name}) +(?:\\-|%{NOTSPACE:procid}) (?:\\-|%{NOTSPACE:msgid}) +(?:\[%{DATA:structured.data}\]|-|) +%{GREEDYDATA:message}
Results
Field Name | Meaning |
---|---|
| The priority represents both the message facility and severity |
| Syslog protocol version |
| Original timestamp |
| The machine that originally sent the Syslog message |
| The device or application that originated the message |
| The process name or process ID associated with a Syslog system |
| Identifies the type of message |
| Structured data string value |
| The
If the same structured-data block contains duplicate param names it also appends an index-based suffix on the attribute name. For example, the structured data
For structured data with enterprise numbers assigned, an extra attribute is also parsed. For example, the structured data
|
| Free-form message that provides information about the event |
For more help
If you need more help, check out these support and learning resources:
- Browse the Explorers Hub to get help from the community and join in discussions.
- Find answers on our sites and learn how to use our support portal.
- Run New Relic Diagnostics, our troubleshooting tool for Linux, Windows, and macOS.
- Review New Relic's data security and licenses documentation.