Getting started with Simple Log Service data processing - Simple Log Service

After you associate an ingest processor with a Logstore, you can use the ingest processor to process logs. For example, you want to collect the access logs of a website to a Logstore, and the access logs are formatted in single-line mode. You can create an ingest processor to parse the raw logs and extract valid fields from the logs for query and analysis.

Prerequisites

An Elastic Compute Service (ECS) instance is available. For more information, see Getting started with ECS.
Simple Log Service is activated. For more information, see Activate Simple Log Service.
The management permissions on ingest processors are granted to the Resource Access Management (RAM) user that you want to use. Make sure that this prerequisite is met if you want to use a RAM user. For more information, see Manage permissions.

Solution overview

In this solution, Logtail is used to collect the NGINX access logs of an ECS instance. An ingest processor is used to parse the single-line logs that are collected to the ${key}:${value} format and export the parsed logs to the Logstore.

Collect logs by using Logtail: Activate Simple Log Service and use Logtail to collect the NGINX access logs of an ECS instance to a Logstore.
Configure an ingest processor: Configure Simple Log Service Processing Language (SPL) statements to parse the raw logs.
Associate the ingest processor with the Logstore: After you associate the ingest processor with the Logstore, the ingest processor parses the collected logs and writes the parsed logs to the Logstore for query and analysis.

1. Collect logs by using Logtail

1.1 Create a project and a Logstore

Log on to the Simple Log Service console.
Create a project.
In the Projects section, click Create Project. For this example, create a project named web-project-test in the Philippines (Manila) region. For more information, see Manage a project.
Create a Logstore.
After the project is created, you are prompted to create a Logstore. For this example, create a Logstore named website_log. For more information, see Manage a Logstore.

1.2 Collect NGINX access logs

The NGINX access logs of a website are stored in the /var/log/nginx/access.log file on the ECS instance, and the logs are formatted in single-line mode by default. The following sample code provides a sample log in the /var/log/nginx/access.log file:

192.168.1.75 - David [2024-07-31T14:27:24+08:00] "PUT /request/path-0/file-8 HTTP/1.1" 819 21577 403 73895 www.test5.com www.test2.com "Mozilla/5.0 (Windows NT 5.2; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41 Safari/535.1"

For more information about how to use Logtail to collect NGINX access logs from an ECS instance, see Collect text logs from servers. After logs are collected from the /var/log/nginx/access.log file to the website_log Logstore, you can query and analyze the collected logs.

You can also use Simple Log Service SDK to collect logs. For more information, see Get started with Simple Log Service SDK for Java. For more information, see Data collection overview.

2. Configure an ingest processor

2.1 Go to the Data Processor page

In the Projects section, click the web-project-test project.
In the left-side navigation pane, choose Resources > Data Processor.

2.2 Create an ingest processor

On the Data Processor > Ingest Processor tab, click Create.

In the Create Processor panel, configure the parameters based on the following figure and click OK.

The following code shows an example of SPL settings. The ingest processor processes data based on the SPL settings. For more information, see SPL overview.

* 
| parse-regexp content, '(\S+)\s-\s(\S+)\s\[(\S+)\]\s"(\S+)\s(\S+)\s(\S+)"\s(\d+)\s(\d+)\s(\d+)\s(\d+)\s(\S+)\s(\S+)\s"(.*)"' as remote_addr, remote_user, time_local, request_method, request_uri, http_protocol, request_time, request_length, status, body_bytes_sent, host, referer, user_agent
| project-away content
| extend __topic__ = request_method

3. Associate the ingest processor with the Logstore

3.1 Associate the ingest processor with the Logstore

In the left-side navigation pane, click Log Storage, move the pointer over the website_log Logstore, and then choose Modify.
On the Logstore Attributes page of the website_log Logstore, click Modify in the upper-right corner. In edit mode, select the ingest processor that you create to parse the NGINX access logs with the Logstore from the Ingest Processor drop-down list and click Save.

3.2 Query and analyze logs

In the left-side navigation pane, click Log Storage and the website_log Logstore. On the query and analysis page of the website_log Logstore, view the parsed logs.

Note

After an ingest processor is associated with a Logstore, the ingest processor processes the newly collected logs. You can view the parsed logs on the query and analysis page approximately 1 minute after you associate an ingest processor with a Logstore.

References

For more information about how to manage ingest processors, see Manage ingest processors.
For more information about how to collect logs after you activate Simple Log Service, see Data collection overview.
Ingest processors process data based on SPL settings. For more information about the SPL syntax, see SPL syntax.