fluent · hlein · Nov 16, 2025 · Nov 16, 2025 · Nov 16, 2025 · Nov 16, 2025
@@ -1523,6 +1523,7 @@ set(CPACK_RPM_SPEC_MORE_DEFINE "%define ignore \#")
 set(CPACK_RPM_RUNTIME_USER_FILELIST
   "%config(noreplace) /etc/${FLB_OUT_NAME}/${FLB_OUT_NAME}.conf"
   "%config(noreplace) /etc/${FLB_OUT_NAME}/parsers.conf"
+  "%config(noreplace) /etc/${FLB_OUT_NAME}/parsers.yaml"
   "%config(noreplace) /etc/${FLB_OUT_NAME}/plugins.conf"
   "%ignore /lib"
   "%ignore /lib/systemd"

@@ -26,6 +26,7 @@
     # ============
     # specify an optional 'Parsers' configuration file
     parsers_file parsers.conf
+    #parsers_file parsers.yaml
 
     # Plugins File
     # ============

@@ -26,6 +26,7 @@
     # ============
     # specify an optional 'Parsers' configuration file
     parsers_file parsers.conf
+    #parsers_file parsers.yaml
 
     # Plugins File
     # ============

@@ -26,6 +26,7 @@
     # ============
     # specify an optional 'Parsers' configuration file
     parsers_file parsers.conf
+    #parsers_file parsers.yaml
 
     # Plugins File
     # ============

@@ -3,6 +3,7 @@
     Daemon       Off
     Log_Level    info
     Parsers_File parsers.conf
+    #Parsers_File parsers.yaml
 
 [INPUT]
     Name          tail

@@ -3,6 +3,7 @@
     Daemon       Off
     Log_Level    info
     Parsers_File parsers.conf
+    #Parsers_File parsers.yaml
 
 [INPUT]
     Name          tail

@@ -1,14 +1,14 @@
- [PARSER]
+[PARSER]
       # https://rubular.com/r/6ZCuwV4Xa7nfA3
       Name                rabbitmq
       Format              regex
       Regex               (?<date>[^ ]+)\s(?<time>[^ ]+)\s\[(?<log_level>[^ \]]*)\]\s(?<PID>[^ ]*)\s(?<msg>((([a-zA-Z]*\s+)+[^ ]*)+)+)
- [PARSER]
+[PARSER]
       # https://rubular.com/r/jWfJIOMKr2LgcO
       Name                neo4j
       Format              regex
       Regex               (?<date>[^ ]*) (?<time>[^ ]*) (?<log_level>[^ ]*)\s(?<msg>([^ ]*\s+[^ ]*)+)
- [PARSER]
+[PARSER]
       # https://rubular.com/r/U8VbByp0oRPLU6
       Name                external-dns
       Format              regex

@@ -0,0 +1,15 @@
+parsers:
+  - name: rabbitmq
+    # https://rubular.com/r/6ZCuwV4Xa7nfA3
+    format: regex
+    regex: (?<date>[^ ]+)\s(?<time>[^ ]+)\s\[(?<log_level>[^ \]]*)\]\s(?<PID>[^ ]*)\s(?<msg>((([a-zA-Z]*\s+)+[^ ]*)+)+)
+
+  - name: neo4j
+    # https://rubular.com/r/jWfJIOMKr2LgcO
+    format: regex
+    regex: (?<date>[^ ]*) (?<time>[^ ]*) (?<log_level>[^ ]*)\s(?<msg>([^ ]*\s+[^ ]*)+)
+
+  - name: external-dns
+    # https://rubular.com/r/U8VbByp0oRPLU6
+    format: regex
+    regex: ([^ ])\"(?<time>[^ ]+)\"\s([^ ]+)\=(?<log_level>[.+a-zA-Z]+)\s([^ ]+)\"(?<msg>([^ ]*\s+[^ ]*\s[a-zA-Z0-9]*)+)
@@ -82,6 +82,7 @@
     Time_Keep   On
 
 [PARSER]
+    # https://rubular.com/r/y5tae3pzf6sOHW
     Name        syslog-rfc3164
     Format      regex
     Regex       /^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
@@ -116,7 +117,7 @@
     Time_Key start_time
 
 [PARSER]
-    # http://rubular.com/r/tjUt3Awgg4
+    # https://rubular.com/r/tjUt3Awgg4
     Name cri
     Format regex
     Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$

@@ -0,0 +1,122 @@
+parsers:
+  - name: apache
+    format: regex
+    regex: '^(?<host>[^ ]*) [^ ]* (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*)" "(?<agent>[^\"]*)")?$'
+    time_key: time
+    time_format: '%d/%b/%Y:%H:%M:%S %z'
+
+  - name: apache2
+    format: regex
+    regex: '^(?<host>[^ ]*) [^ ]* (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^ ]*) +\S*)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*)" "(?<agent>.*)")?$'
+    time_key: time
+    time_format: '%d/%b/%Y:%H:%M:%S %z'
+
+  - name: apache_error
+    format: regex
+    regex: '^\[[^ ]* (?<time>[^\]]*)\] \[(?<level>[^\]]*)\](?: \[pid (?<pid>[^\]]*)\])?( \[client (?<client>[^\]]*)\])? (?<message>.*)$'
+
+  - name: nginx
+    format: regex
+    regex: '^(?<remote>[^ ]*) (?<host>[^ ]*) (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*)" "(?<agent>[^\"]*)")'
+    time_key: time
+    time_format: '%d/%b/%Y:%H:%M:%S %z'
+
+  - name: k8s-nginx-ingress
+    # https://rubular.com/r/IhIbCAIs7ImOkc
+    format: regex
+    regex: '^(?<host>[^ ]*) - (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)?" (?<code>[^ ]*) (?<size>[^ ]*) "(?<referer>[^\"]*)" "(?<agent>[^\"]*)" (?<request_length>[^ ]*) (?<request_time>[^ ]*) \[(?<proxy_upstream_name>[^ ]*)\] (\[(?<proxy_alternative_upstream_name>[^ ]*)\] )?(?<upstream_addr>[^ ]*) (?<upstream_response_length>[^ ]*) (?<upstream_response_time>[^ ]*) (?<upstream_status>[^ ]*) (?<reg_id>[^ ]*).*$'
+    time_key: time
+    time_format: '%d/%b/%Y:%H:%M:%S %z'
+
+  - name: json
+    format: json
+    time_key: time
+    time_format: '%d/%b/%Y:%H:%M:%S %z'
+
+  - name: logfmt
+    format: logfmt
+
+  - name: docker
+    format: json
+    time_key: time
+    time_format: '%Y-%m-%dT%H:%M:%S.%L'
+    time_keep: On
+    # --
+    # Since Fluent Bit v1.2, if you are parsing Docker logs and using
+    # the Kubernetes filter, it's not longer required to decode the
+    # 'log' key.
+    #
+    # Command      |  Decoder | Field | Optional Action
+    # =============|==================|=================
+    #Decode_Field_As    json     log
+    #
+
+  - name: docker-daemon
+    format: regex
+    regex: time="(?<time>[^ ]*)" level=(?<level>[^ ]*) msg="(?<msg>[^ ].*)"
+    time_key: time
+    time_format: '%Y-%m-%dT%H:%M:%S.%L'
+    time_keep: On
+
+  - name: syslog-rfc5424
+    format: regex
+    regex: ^\<(?<pri>[0-9]{1,5})\>1 (?<time>[^ ]+) (?<host>[^ ]+) (?<ident>[^ ]+) (?<pid>[-0-9]+) (?<msgid>[^ ]+) (?<extradata>(\[(.*?)\]|-)) (?<message>.+)$
+    time_key: time
+    time_format: '%Y-%m-%dT%H:%M:%S.%L%z'
+    time_keep: On
+
+  - name: syslog-rfc3164-local
+    format: regex
+    regex: '^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$'
+    time_key: time
+    time_format: '%b %d %H:%M:%S'
+    time_keep: On
+
+  - name: syslog-rfc3164
+    format: regex
+    regex: '/^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/'
+    time_key: time
+    time_format: '%b %d %H:%M:%S'
+    time_keep: On
+
+  - name: mongodb
+    format: regex
+    regex: '^(?<time>[^ ]*)\s+(?<severity>\w)\s+(?<component>[^ ]+)\s+\[(?<context>[^\]]+)]\s+(?<message>.*?) *(?<ms>(\d+))?(:?ms)?$'
+    time_format: '%Y-%m-%dT%H:%M:%S.%L'
+    time_keep: On
+    time_key: time
+
+  - name: envoy
+    # https://rubular.com/r/0VZmcYcLWMGAp1
+    format: regex
+    regex: '^\[(?<start_time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)? (?<protocol>\S+)" (?<code>[^ ]*) (?<response_flags>[^ ]*) (?<bytes_received>[^ ]*) (?<bytes_sent>[^ ]*) (?<duration>[^ ]*) (?<x_envoy_upstream_service_time>[^ ]*) "(?<x_forwarded_for>[^ ]*)" "(?<user_agent>[^\"]*)" "(?<request_id>[^\"]*)" "(?<authority>[^ ]*)" "(?<upstream_host>[^ ]*)"'
+    time_format: '%Y-%m-%dT%H:%M:%S.%L%z'
+    time_keep: On
+    time_key: start_time
+
+  - name: istio-envoy-proxy
+    # https://rubular.com/r/hbsTIxFFMozLmh
+    format: regex
+    regex: '^\[(?<start_time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)? (?<protocol>\S+)" (?<response_code>[^ ]*) (?<response_flags>[^ ]*) (?<response_code_details>[^ ]*) (?<connection_termination_details>[^ ]*) "(?<upstream_transport_failure_reason>[^ ]*)" (?<bytes_received>[^ ]*) (?<bytes_sent>[^ ]*) (?<duration>[^ ]*) (?<x_envoy_upstream_service_time>[^ ]*) "(?<x_forwarded_for>[^ ]*)" "(?<user_agent>[^\"]*)" "(?<x_request_id>[^\"]*)" "(?<authority>[^ ]*)" "(?<upstream_host>[^ ]*)" (?<upstream_cluster>[^ ]*) (?<upstream_local_address>[^ ]*) (?<downstream_local_address>[^ ]*) (?<downstream_remote_address>[^ ]*) (?<requested_server_name>[^ ]*) (?<route_name>[^  ]*)$'
+    time_format: '%Y-%m-%dT%H:%M:%S.%L%z'
+    time_keep: On
+    time_key: start_time
+
+  - name: cri
+    # https://rubular.com/r/tjUt3Awgg4
+    format: regex
+    regex: ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<message>.*)$
+    time_key: time
+    time_format: '%Y-%m-%dT%H:%M:%S.%L%z'
+    time_keep: On
+
+  - name: kube-custom
+    format: regex
+    regex: '(?<tag>[^.]+)?\.?(?<pod_name>[a-z0-9](?:[-a-z0-9]*[a-z0-9])?(?:\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)_(?<namespace_name>[^_]+)_(?<container_name>.+)-(?<docker_id>[a-z0-9]{64})\.log$'
+
+  - name: kmsg-netfilter-log
+    # Examples: TCP: https://rubular.com/r/Q8YY6fHqlqwGI0  UDP: https://rubular.com/r/B0ID69H9FvN0tp
+    format: regex
+    regex: '^\<(?<pri>[0-9]{1,5})\>1 (?<time>[^ ]+) (?<host>[^ ]+) kernel - - - \[[0-9\.]*\] (?<logprefix>[^ ]*)\s?IN=(?<in>[^ ]*) OUT=(?<out>[^ ]*) MAC=(?<macsrc>[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}):(?<macdst>[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}):(?<ethtype>[0-9a-f]{2}:[0-9a-f]{2}) SRC=(?<saddr>[^ ]*) DST=(?<daddr>[^ ]*) LEN=(?<len>[^ ]*) TOS=(?<tos>[^ ]*) PREC=(?<prec>[^ ]*) TTL=(?<ttl>[^ ]*) ID=(?<id>[^ ]*) (D*F*)\s*PROTO=(?<proto>[^ ]*)\s?((SPT=)?(?<sport>[0-9]*))\s?((DPT=)?(?<dport>[0-9]*))\s?((LEN=)?(?<protolen>[0-9]*))\s?((WINDOW=)?(?<window>[0-9]*))\s?((RES=)?(?<res>0?x?[0-9]*))\s?(?<flag>[^ ]*)\s?((URGP=)?(?<urgp>[0-9]*))'
+    time_key: time
+    time_format: '%Y-%m-%dT%H:%M:%S.%L%z'
@@ -0,0 +1,7 @@
+# Ambassador - open source Kubernetes-native API gateway for microservices built on the Envoy Proxy https://www.getambassador.io
+#
+
+parsers:
+  - name: ambassador
+    format: regex
+    regex: '^(?<type>\S+) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>(?:[^\"]|\\.)*?)(?: +\S*)?) (?<protocol>\S+)?" (?<response_code>\S+) (?<response_flags>\S+) (?<bytes_received>\S+) (?<bytes_sent>\S+) (?<duration>\S+) (?<x_envoy_upstream_service_time>\S+) "(?<x_forwarded_for>[^\"]*)" "(?<user_agent>[^\"]*)" "(?<x_request_id>[^\"]*)" "(?<authority>[^\"]*)" "(?<upstream_host>[^\"]*)"'
@@ -1,6 +1,6 @@
 
 [PARSER]
-    # http://rubular.com/r/IvZVElTgNl
+    # https://rubular.com/r/IvZVElTgNl
     Name ceph
     Format regex
     Regex ^(?<log_time>[^ ][-.\d\+:T]+[ ]*[.:\d]*)\s+(?<message>.*)$

@@ -0,0 +1,8 @@
+parsers:
+  - name: ceph
+    # https://rubular.com/r/IvZVElTgNl
+    format: regex
+    regex: '^(?<log_time>[^ ][-.\d\+:T]+[ ]*[.:\d]*)\s+(?<message>.*)$'
+    time_format: '%Y-%m-%d %H:%M:%S.%L'
+    time_keep: Off
+    time_key: log_time
@@ -1,7 +1,7 @@
 # Extra set of common parsers
 
 [PARSER]
-    # http://rubular.com/r/cCVd1HLCAO
+    # https://rubular.com/r/cCVd1HLCAO
     Name crowbar
     Format regex
     Regex ^.*\[(?<log_time>[^ ][-.\d\+:]+T[:\d]*)([^\]])*?\]\s+?(?<severity>[^ ]\w+)([\s-]*):?\s+(?<message>.*)
@@ -10,7 +10,7 @@
     Time_Key log_time
 
 [PARSER]
-    # http://rubular.com/r/frDgnElXW9 
+    # https://rubular.com/r/frDgnElXW9 
     Name chefclient
     Format regex
     Regex ^\[(?<log_time>[^ ][-.\d\+:]+T[:\d]*)([^\]])*?\]\s+(?<severity>[^ ]\w+):\s+(?<message>.*)$