前面已经有ELK-Redis的安装,此处只讲在不改变日志格式的情况下收集Nginx日志.

1.Nginx端的日志格式设置如下:

log_format  access  '$remote_addr - $remote_user [$time_local] "$request" '

            '$status $body_bytes_sent "$http_referer" '

            '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /usr/local/nginx/logs/access.log  access;

2.Nginx端logstash-agent的配置如下:

[root@localhost conf]# cat logstash_agent.conf

input {

  file {

    path => [ "/usr/local/nginx/logs/access.log" ]

    type => "nginx_access"

 }

}

output {

  redis {

    data_type => "list"

    key => "nginx_access_log"

    host => "192.168.100.70"

    port => "6379"

 }

}

3.logstash_indexer的配置如下:

[root@elk-node1 conf]# cat logstash_indexer.conf

input {

  redis {

    data_type => "list"

    key => "nginx_access_log"

    host => "192.168.100.70"

    port => "6379"

 }

}

filter {

  grok {

    patterns_dir => "./patterns"

    match => { "message" => "%{NGINXACCESS}" }

  }

  geoip {

    source => "clientip"

    target => "geoip"

    #database => "/usr/local/logstash/GeoLite2-City.mmdb"

    database => "/usr/local/src/GeoLiteCity.dat"

    add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]

    add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]

  }

  mutate {

    convert => [ "[geoip][coordinates]", "float" ]

    convert => [ "response","integer" ]

    convert => [ "bytes","integer" ]

  }

  mutate {remove_field => ["message"]}

  date {

    match => [ "timestamp","dd/MMM/yyyy:HH:mm:ss Z"]

  }

  mutate {

    remove_field => "timestamp"

  }

}

output {

  #stdout { codec => rubydebug }

  elasticsearch {

      hosts => "192.168.100.71"

      #protocol => "http"

      index => "logstash-nginx-access-log-%{+YYYY.MM.dd}"

 }

}

3.创建存放logstash格式化Nginx日志的文件。

mkdir -pv /usr/local/logstash/patterns

[root@elk-node1 ]# vim/usr/local/logstash/patterns/nginx

ERNAME [a-zA-Z\.\@\-\+_%]+

NGUSER %{NGUSERNAME}

NGINXACCESS %{IPORHOST:clientip} - %{NOTSPACE:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NOTSPACE:http_x_forwarded_for}

#这个格式要和Nginx的 log_format格式保持一致.

 假如说我 nginx 日志在加上一个 nginx 响应时间呢?修改格式加上”request_time”:  

修改日志结构生成数据:

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

                '$status $body_bytes_sent "$http_referer" '

                '"$http_user_agent" "$http_x_forwarded_for" $request_time';

修改一下 nginx 的正则匹配,多加一个选项:

[root@elk-node1 patterns]# cat nginx

NGUSERNAME [a-zA-Z\.\@\-\+_%]+

NGUSER %{NGUSERNAME}

NGINXACCESS %{IPORHOST:clientip} - %{NGUSER:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes:float}|-) %{QS:referrer} %{QS:agent} %{NOTSPACE:http_x_forwarded_for} %{NUMBER:request_time:float}

~

~

附一份当时生产环境自己的logstash.conf配置实例(logstash-5.2.2的conf文件):

input {

  redis {

    data_type => "list"

    key => "uc01-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  } 

  redis {

    data_type => "list"

    key => "uc02-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  }

  redis {

    data_type => "list"

    key => "p-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  }

  redis {

    data_type => "list"

    key => "https-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  }

  redis {

    data_type => "list"

    key => "rms01-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  }

  redis {

    data_type => "list"

    key => "rms02-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  }

}

filter {

  if [path] =~ "nginx" {

    grok {

      patterns_dir => "./patterns"

      match => { "message" => "%{NGINXACCESS}" }

    }

    mutate {

      remove_field => ["message"]

    }

    mutate {

      remove_field => "timestamp"

    }

    date {

    match => [ "timestamp","dd/MMM/yyyy:HH:mm:ss Z"]

  }

    geoip {

    source => "clientip"

    target => "geoip"

    database => "/usr/local/GeoLite2-City.mmdb"

    add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]

    add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]

    }

    mutate {

    convert => [ "[geoip][coordinates]", "float" ]

    }

  }

  else {

    drop {}

  }

}

output {

  if [type] == "uc01-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-uc01-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

  if [type] == "uc02-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-uc02-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

  if [type] == "p-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-p-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

  if [type] == "https-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-api-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

  if [type] == "rms01-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-rms01-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

  if [type] == "rms02-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-rms02-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

}

logstash_indexer.conf

[root@localhost ~]$cd /usr/local/logstash-5.2./etc

[root@localhost etc]$ cat logstash_agentd.conf

input {

  file {

    type => "web-nginx-access"

    path => "/usr/local/nginx/logs/access.log"

  }

}

output{

  #file {

  #  path => "/tmp/%{+YYYY-MM-dd}.messages.gz"

  #  gzip => true

  #}

  redis {

    data_type => "list"

    key => "web01-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "@#$%QW"

  }

}

logstash_agentd.conf

ELK filter过滤器来收集Nginx日志的更多相关文章

  1. ELK 二进制安装并收集nginx日志

    对于日志来说,最常见的需求就是收集.存储.查询.展示,开源社区正好有相对应的开源项目:logstash(收集).elasticsearch(存储+搜索).kibana(展示),我们将这三个组合起来的技 ...

  2. ELK Stack (2) —— ELK + Redis收集Nginx日志

    ELK Stack (2) -- ELK + Redis收集Nginx日志 摘要 使用Elasticsearch.Logstash.Kibana与Redis(作为缓冲区)对Nginx日志进行收集 版本 ...

  3. ELK日志系统之使用Rsyslog快速方便的收集Nginx日志

    常规的日志收集方案中Client端都需要额外安装一个Agent来收集日志,例如logstash.filebeat等,额外的程序也就意味着环境的复杂,资源的占用,有没有一种方式是不需要额外安装程序就能实 ...

  4. 安装logstash5.4.1,并使用grok表达式收集nginx日志

    关于收集日志的方式,最简单性能最好的应该是修改nginx的日志存储格式为json,然后直接采集就可以了. 但是实际上会有一个问题,就是如果你之前有很多旧的日志需要全部导入elk上查看,这时就有两个问题 ...

  5. 第七章·Logstash深入-收集NGINX日志

    1.NGINX安装配置 源码安装nginx 因为资源问题,我们先将nginx安装在Logstash所在机器 #安装nginx依赖包 [root@elkstack03 ~]# yum install - ...

  6. ELK实践(二):收集Nginx日志

    Nginx访问日志 这里补充下Nginx访问日志使用的说明.一般在nginx.conf主配置文件里需要定义一种格式: log_format main '$remote_addr - $remote_u ...

  7. Docker 部署 ELK 收集 Nginx 日志

    一.简介 1.核心组成 ELK由Elasticsearch.Logstash和Kibana三部分组件组成: Elasticsearch是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引 ...

  8. ELK学习实验014:Nginx日志JSON格式收集

    1 Kibana的显示配置 https://demo.elastic.co/app/kibana#/dashboard/welcome_dashboard 环境先处理干净 安装nginx和httpd- ...

  9. ELASTIC 5.2部署并收集nginx日志

    elastic 5.2集群安装笔记   设计架构如下: nginx_json_log ->filebeat ->logstash ->elasticsearch ->kiban ...

随机推荐

  1. 项目中开机自启动的 node-webkit开机自启动

    node-webkit开机自启动 Posted in 前端, 后端 By KeenWon On 2014年8月11日 Views: 1,215 node-webkit没有提供开机自启动的接口,在git ...

  2. 10款jQuery图片左右滚动插件

    在现代的网页设计中,图片和内容滑块是一种极为常见和重要的元素.你可以从头开始编写自己的滑动效果,但是这将浪费很多时间,因为网络上已经有众多的优秀的 jQuery 滑块插件.当然,如果要从大量的 jQu ...

  3. OpenCV探索之路(十七):Mat和IplImage访问像素的方法总结

    在opencv的编程中,遍历访问图像元素是经常遇到的操作,掌握其方法非常重要,无论是Mat类的像素访问,还是IplImage结构体的访问的方法,都必须扎实掌握,毕竟,图像处理本质上就是对像素的各种操作 ...

  4. 移动web开发(二)——viewport

    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scal ...

  5. python dataframe (method,partial,dir,hasattr,setattr,getarrt)

    # * _*_ coding:utf-8 _*___author__:'denny 20170730'from functools import reduceimport functoolsimpor ...

  6. Android Studio占用C盘内存

    使用Android Studio的时候,会发现,在各种下载导入的时候,C盘内存耗费的非常的快,于是我看了下配置.

  7. [openssl]openssl特定版本安装

    卸载旧版本 OpenSSL1. apt-get purge openssl2. rm -rf /etc/ssl #删除配置文件编译与安装 OpenSSLprefix 是安装目录,openssldir ...

  8. 淘宝开放平台获取沙箱token

    沙箱环境的文档都是错的,直接使用以下地址: 输入淘宝测试账号: sandbox_c_1    密码: taobao1234 https://login.tbsandbox.com/member/log ...

  9. java jdbc preparedstatement 分析

    https://blog.csdn.net/xiong9999/article/details/54137326

  10. PHP利用CURL_MULTI实现多线程

    PHP中的curl_multi一类函数可以实现同时请求多个url,而不是一个一个依次请求,这就类似一个进程实现了多个线程的功能,因此可以使用PHP利用CURL_MULTI实现完成多线程类的任务,下面就 ...