Traefik access log in JSON format

Telegraf
,
1

Hello!

I’m new to the forum. Was wondering if someone could help me with parsing the Traefik access log, which is in JSON format. I keep getting the same error in Telegraf which does not make much sense to me as I am not from DEV background. The error is “2023-07-01T14:10:40Z E! [processors.parser] could not parse field message: invalid character ‘i’ in literal true (expecting ‘r’)”.

Here is my Telegraf config below. I have commented out some of the syntax but still have the same error with everything uncommented.

[[inputs.docker_log]]
endpoint = “unix:///var/run/docker.sock”
from_beginning = false
container_name_include = [“traefik”]

[[processors.parser]]
name_override = “traefik_access_log”
namepass = [“docker_log”]
parse_fields = [“message”]
merge = “override”
data_format = “json”
#json_string_fields = [
#“ClientHost”,
#“RequestAddr”,
#“RequestCount”,
#“RequestHost”,
#“RequestMethod”,
#“RequestPath”,
#“RequestProtocol”,
#“RequestScheme”,
#“downstream_Content-Type”,
#“request_User-Agent”,
#“time”
#]
#json_time_key = “time”
#json_time_format = “2000-01-01T12:00:00+”
#json_timezone = “UTC”

[[outputs.influxdb_v2]]
urls = [“http://influxdb:8086”] # required
token = “Removed”
organization = “Home”
bucket = “traefik_access_log”
timeout = “5s”
namepass = [“traefik_access_log”]
[[outputs.file]]
files = [“/var/tmp/output/output.txt”]
namepass = [“traefik_access_log”]

2

@LordMuck can you please post a (redacted) sample of the data!?

3

Sure, thanks.

{“ClientAddr”:“192.168.0.43:58210”,“ClientHost”:“192.168.0.43”,“ClientPort”:“58210”,“ClientUsername”:“-”,“DownstreamContentSize”:0,“DownstreamStatus”:304,“Duration”:6166995,“OriginContentSize”:0,“OriginDuration”:5985133,“OriginStatus”:304,“Overhead”:181862,“RequestAddr”:“redacted”,“RequestContentSize”:0,“RequestCount”:29653,“RequestHost”:“redacted”,“RequestMethod”:“GET”,“RequestPath”:“/_static/out/browser/serviceWorker.js”,“RequestPort”:“-”,“RequestProtocol”:“HTTP/2.0”,“RequestScheme”:“https”,“RetryAttempts”:0,“RouterName”:“codeserver-cf@file”,“ServiceAddr”:“172.16.201.254:12121”,“ServiceName”:“codeserver-cf@file”,“ServiceURL”:{“Scheme”:“http”,“Opaque”:“”,“User”:null,“Host”:“172.16.201.254:12121”,“Path”:“”,“RawPath”:“”,“OmitHost”:false,“ForceQuery”:false,“RawQuery”:“”,“Fragment”:“”,“RawFragment”:“”},“StartLocal”:“2023-07-03T15:55:49.13190374+01:00”,“StartUTC”:“2023-07-03T14:55:49.13190374Z”,“TLSCipher”:“TLS_AES_128_GCM_SHA256”,“TLSVersion”:“1.3”,“entryPointName”:“https”,“level”:“info”,“msg”:“”,“request_User-Agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.67”,“time”:“2023-07-03T15:55:49+01:00”}

4

@LordMuck you might want to try this processor setup

[[processors.parser]]
  name_override = "traefik_access_log"
  namepass = ["docker_log"]

  fielddrop = ["time", "level"]

  parse_fields = ["message"]
  merge = “override”

  data_format = "xpath_json"
  xpath_native_types = true

  [[processors.parser.xpath]]
    timestamp = "/time"
    timestamp_format = "rfc3339"
    field_selection = "descendant::*[not(*)]"
    field_name_expansion = true

    [processors.parser.tags]
        level = "/level"

There is no necessity for the tags section or for the fielddrop etc. I just included it for illustration.

5

Thanks for that. I tried using this config with and without the field drop and tag and still have the same Telegraf error.

2023-07-04T13:15:20Z E! [processors.parser] could not parse field message: invalid character ‘i’ in literal true (expecting ‘r’)

6

Can you please show the message just before the processor?! You might either use the printer processor or comment out the processor and use --test when running Telegraf…

7

Hi thanks again for helping me.

I enabled the Printer Processor plugin and all I got was numbers :thinking:

6 46 119 111 114 107 105 110 103 95 100 105 114 61 47 104 111 109 101 47 110 97 114 101 121 47 100 111 99 107 101 114 47 109 97 110 97 103 101 109 101 110 116 44 99 111 109 46 100 111 99 107 101 114 46 99 111 109 112 111 115 101 46 114 101 112 108 97 99 101 61 99 54 51 99 101 49 48 49 98 55 97 101 55 97 101 101 48 53 52 100 52 50 49 57 98 49 56 56 97 101 50 53 49 50 57 51 97 101 57 97 54 57 100 101 49 52 99 97 99 52 99 51 98 54 55 99 101 53 100 54 54 102 50 102 44 99 111 109 46 100 111 99 107 101 114 46 99 111 109 112 111 115 101 46 115 101 114 118 105 99 101 61 114 101 100 105 115 45 99 111 109 109 97 110 100 101 114 44 99 111 109 46 100 111 99 107 101 114 46 99 111 109 112 111 115 101 46 118 101 114 115 105 111 110 61 50 46 49 56 46 49 44 99 111 110 116 97 105 110 101 114 95 105 109 97 103 101 61 103 104 99 114 46 105 111 47 106 111 101 102 101 114 110 101 114 47 114 101 100 105 115 45 99 111 109 109 97 110 100 101 114 44 99 111 110 116 97 105 110 101 114 95 110 97 109 101 61 114 101 100 105 115 45 99 111 109 109 97 110 100 101 114 44 99 111 110 116 97 105 110 101 114 95 115 116 97 116 117 115 61 114 117 110 110 105 110 103 44 99 111 110 116 97 105 110 101 114 95 118 101 114 115 105 111 110 61 108 97 116 101 115 116 44 101 110 103 105 110 101 95 104 111 115 116 61 117 98 98 121 44 104 111 115 116 61 116 101 108 101 103 114 97 102 44 110 101 116 119 111 114 107 61 101 116 104 49 44 115 101 114 118 101 114 95 118 101 114 115 105 111 110 61 50 52 46 48 46 50 44 116 114 97 101 102 105 107 46 101 110 97 98 108 101 61 116 114 117 101 44 116 114 97 101 102 105 107 46 104 116 116 112 46 114 111 117 116 101 114 115 46 114 101 100 105 115 45 99 111 109 109 97 110 100 101 114 46 101 110 116 114 121 112 111 105 110 116 115 61 104 116 116 112 44 116 114 97 101 102 105 107 46 104 116 116 112 46 114 111 117 116 101 114 115 46 114 101 100 105 115 45 99 111 109 109 97 110 100 101 114 46 109 105 100 100 108 101 119 97 114 101 115 61 99 104 97 105 110 45 110 111 45 97 117 116 104 45 110 111 45 104 116 116 112 115 64 102 105 108 101 44 116 114 97 101 102 105 107 46 104 116 116 112 46 114 111 117 116 101 114 115 46 114 101 100 105 115 45 99 111 109 109 97 110 100 101 114 46 114 117 108 101 61 72 111 115 116 40 96 114 101 100 105 115 45 99 111 109 109 97 110 100 101 114 46 104 111 109 101 110 101 116 119 111 114 107 46 108 97 110 96 41 44 116 114 97 101 102 105 107 46 104 116 116 112 46 114 111 117 116 101 114 115 46 114 101 100 105 115 45 99 111 109 109 97 110 100 101 114 46 115 101 114 118 105 99 101 61 114 101 100 105 115 45 99 111 109 109 97 110 100 101 114 44 116 114 97 101 102 105 107 46 104 116 116 112 46 115 101 114 118 105 99 101 115 46 114 101 100 105 115 45 99 111 109 109 97 110 100 101 114 46 108 111 97 100 98 97 108 97 110 99 101 114 46 115 101 114 118

8

@LordMuck thanks for finding a bug in the printer processor! :wink: Should be fixed in fix(processors.printer): Convert output to string by srebhan · Pull Request #13564 · influxdata/telegraf · GitHub… Anyway, decoding the bytes you provided you get

.working_dir=/home/narey/docker/management,com.docker.compose.replace=c63ce101b7ae7aee054d4219b188ae251293ae9a69de14cac4c3b67ce5d66f2f,com.docker.compose.service=redis-commander,com.docker.compose.version=2.18.1,container_image=ghcr.io/joeferner/redis-commander,container_name=redis-commander,container_status=running,container_version=latest,engine_host=ubby,host=telegraf,network=eth1,server_version=24.0.2,traefik.enable=true,traefik.http.routers.redis-commander.entrypoints=http,traefik.http.routers.redis-commander.middlewares=chain-no-auth-no-https@file,traefik.http.routers.redis-commander.rule=Host(`redis-commander.homenetwork.lan`),traefik.http.routers.redis-commander.service=redis-commander,traefik.http.services.redis-commander.loadbalancer.serv

So what is really strange is the non-printable metric name (ASCII 0x06)… Furthermore, the metric does not have a message field… Are you sure that this was the message that triggered the error?