Lately, I have been working on centralizing the logs from all of our servers and application layers.  I decided to use Fluentd instead of Logstash because it claims better reliability without jumping through hoops (e.g. adding a kafka layer).

Anyways, working on the configuration, I noticed that it doesn’t have any default configs for PHP errors.  My quick google search didn’t reveal anything either.  So, I decided to write the regex myself.  Here is what I ended up with.  This also accounts for multiline stack traces.

<source>
 @type tail
 tag SERVERNAME.php.errors

 # Example
 #[03-Sep-2017 22:51:06 UTC] PHP Fatal error: Allowed memory size of 268435456 bytes exhausted (tried to allocate 65536 bytes) in Unknown on line 0

 format multiline
 format_firstline /^\[(?<time>[^\]]*)\] (?<level>.+?):/
 format1 /^\[(?<time>[^\]]*)\] (?<level>.+?):\s+(?<message>.*)/
 time_format %d-%b-%Y %H:%M:%S %Z

 read_from_head true # Read the file from the start.

 path C:\webroot\php_errors.txt
 pos_file C:\opt\td-agent\tmp\hd-dev01.php.errors.pos
</source>
Back to blog...