Lately, I have been working on centralizing the logs from all of our servers and application layers. I decided to use Fluentd instead of Logstash because it claims better reliability without jumping through hoops (e.g. adding a kafka layer).
Anyways, working on the configuration, I noticed that it doesn’t have any default configs for PHP errors. My quick google search didn’t reveal anything either. So, I decided to write the regex myself. Here is what I ended up with. This also accounts for multiline stack traces.
<source> @type tail tag SERVERNAME.php.errors # Example #[03-Sep-2017 22:51:06 UTC] PHP Fatal error: Allowed memory size of 268435456 bytes exhausted (tried to allocate 65536 bytes) in Unknown on line 0 format multiline format_firstline /^\[(?<time>[^\]]*)\] (?<level>.+?):/ format1 /^\[(?<time>[^\]]*)\] (?<level>.+?):\s+(?<message>.*)/ time_format %d-%b-%Y %H:%M:%S %Z read_from_head true # Read the file from the start. path C:\webroot\php_errors.txt pos_file C:\opt\td-agent\tmp\hd-dev01.php.errors.pos </source>