nginx parser does not capture multiple entries in http_x_forwarded_for-header when it contains white-spaces

[mkoertgen]

Check CONTRIBUTING guideline first and here is the list to help us investigate the problem.

Describe the bug

The X-Forwarded-For allows a list of forwards which may include whitespace, e.g. client, proxy1, proxy2
The current regexp in the nginx-parser does not capture that.

To Reproduce

Have an nginx log with multiple proxies and the log will not be captured.

Check with fluentular:

• fluentular - current nginx-regexp
• fluentular - suggestion to fix

Expected behavior
The above log line can be captured

Your Environment

docker image: fluent/fluentd-kubernetes-daemonset:v1.12.3-debian-elasticsearch7-1.0

[mkoertgen]

A slight modification of the regexp would help:

^(?<remote>[^ ]*) (?<host>[^ ]*) (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*)" "(?<agent>[^\"]*)"(?:\s+"(?<http_x_forwarded_for>[^\"]+)")?)?$

This captures an optional forward-for-header enclosed by quotes.

[mkoertgen]

Seems to be addressed in v1.13.0 with #2171

[mkoertgen]

Waiting for docker image for 1.13.0 to become available, cf.:

• https://hub.docker.com/r/fluent/fluentd/tags