Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Custom Log parsing issue

Copper Contributor

Hi all,

I have an issue with custom logs (NGINX Logs).
I create a new table in the Log Analytics Workspace using DCR-Based Mode.
The raw log looks like
2024-06-09T10:52:13+02:00 | 149.154.229.84 | GET | https://dsk.xxxx.lu/test.html | HTTP/1.1 | 404 | 21 | - | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 | 0.053

I used the following Json formats:

Format 1:
[
{
"TimeGenerated": "2024-06-04 08:31:56",
"DateTime": "2024-06-09T10:52:13+02:00",
"http_x_forwarded_for" : "149.154.229.84",
"request_method" : "GET",
"URL" : "https://https://dsk.xxxx.lu/test.html"
"HTTP_Version": "HTTP/1.1",
"status": "404",
"body_bytes_sent": "21",
"http_referer": "-",
"http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36",
"request_time": "0.053"
}
]

Format 2:
[
{
"TimeGenerated": "2024-06-04 08:31:56",
"RawData": "2024-06-09T10:52:13+02:00 | 149.154.229.84 | GET | https://dsk.xxxx.lu/test.html | HTTP/1.1 | 404 | 21 | - | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 | 0.053
"
}
]

If I use Format 1, I can't see the log payload when performing KQL Query (See Log Nok image )
If I use Format 2, I can see the log payload when performing KQL Query (See Log OK image)

Any idea ??

 

Regards,

 

HA

0 Replies