1. Add the following line to /etc/rc.local:
    varnishncsa -a -w /var/log/varnish/access.log -D -P /var/run/varnishncsa.pid
  2. Configure logrotate by adding the following line to
    (create it if it doesn't exist):
    /var/log/varnish/*log {
        create 640 http log
            /bin/kill -USR1 `cat /var/run/varnishncsa.pid 2>/dev/null` 2> /dev/null || true
  3. Add a local file source to your collector pointing to the path defined above

Sample Log - - [2017-07-13 21:10:59.586 +0000] "GET /_includes/wp/blog/wp-content/plugins/us/31063765-bpfull.phpi?&w=50&id=6&random=1331063765 HTTP/1.1" 304 5201 "http://search.yahoo.com/mobile/s?rew...0logs&pintl=en" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0"

Field Extraction Rule

parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*"

Resulting Fields:

Field Description Example
src_ip The IP address of the client (remote host) which made the request to the server
method The method used by the client GET
url The resource requested by the client /_includes/wp/blog/wp-content/plugins/us/31063765-bpfull.phpi?&w=50&id=6&random=1331063765
status_code The status code that the server sends back to the client 304
size The size of the object returned to the client 5201
referrer The site that the client reports having been referred from http://search.yahoo.com/mobile/s?rew...0logs&pintl=en
user_agent The identifying information that the client browser reports about itself Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0