Facing problem after parsing custom logs

[sandraimmaculate]

Hi, as i want to parse the Nginx logs but security onion doesn't supports system integration for nginx logs so i tried with custom log integration i mentioned the path of the log file in the integration and yes the logs are getting displayed when i type the log file path which i mentioned in custom log integration. But the logs are displaying like:

the whole log entry is inside the message field, its not displaying the log entry in suppurate suppurate fields.
Can you help me to parse the custom logs! please suggest

[reyesj2]

You may have to have a bit of patience, but nginx is a supported integration in the next release of Security Onion. So once we get that released you'll be able to soup and use the Nginx integration for your logs.
#12221

[sandraimmaculate]

Rather than that system integration for nginx is there any option to parse the nginx logs in security onion using template or pipeline i tried this in elk there i created a pipeline and logstash.conf file to parse the logs, but happened is the logs are not taking from the file which i mention in logstash conf, the logs getting stored only when i execute put command with my log entry then it getting stored in that index. i can't do this for each log entry right its a very big log file
IDK what to do!
is there any option like this in security onion parsing the logs using pipeline without this issuse (the logs getting stored only when i execute put command with my log entry then it getting stored in that index.) if it is there can you guide me to parse the logs.

**because i follwed the below steps:
i created myconf.conf file in path:
/opt/so/saltstack/local/salt/logstash/pipelines/config/custom/
added the file name in administration > configuration > logstash -> defined_pipelines -> manager and append the name of your newly created file to the list of config files used for the manager pipeline:
custom/myfile.conf

here is my conf file**

after this i restart the logstash i got like this in output:
ID: ls_pipeline_manager_custom_myfile
Function: file.managed
Name: /opt/so/conf/logstash/pipelines/manager/myfile.conf
Result: True
Comment: File /opt/so/conf/logstash/pipelines/manager/myfile.conf is in the correct state
Started: 10:01:01.232245
Duration: 11.782 ms
Changes:

but if i go to kibana and search for that I'm not getting any log regarding mine

Please reply

[cm-ops]

What is that output in your logstash config?

[sandraimmaculate]

i tried with the below output in logstash conf
output {
elasticsearch {
hosts => ["localhost:9200"]
}
}
and saw the below information in security onion document

and tried with this output also
output {
http {
id => "cloned_events_out"
host => "http://hostname"
http_method => "post"
codec => "json_lines"
}
}

[cm-ops]

Where are you trying to send the logs? You would need to get them into the SO Elasticsearch ingest pipeline if you wanted to see custom logs in the GUI.