ELK filter过滤器来收集Nginx日志
前面已经有ELK-Redis的安装,此处只讲在不改变日志格式的情况下收集Nginx日志.
1.Nginx端的日志格式设置如下:
log_format access '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /usr/local/nginx/logs/access.log access;
2.Nginx端logstash-agent的配置如下:
[root@localhost conf]# cat logstash_agent.conf
input {
file {
path => [ "/usr/local/nginx/logs/access.log" ]
type => "nginx_access"
} }
output {
redis {
data_type => "list"
key => "nginx_access_log"
host => "192.168.100.70"
port => "6379" }
}
3.logstash_indexer的配置如下:
[root@elk-node1 conf]# cat logstash_indexer.conf
input {
redis {
data_type => "list"
key => "nginx_access_log"
host => "192.168.100.70"
port => "6379" }
} filter {
grok {
patterns_dir => "./patterns"
match => { "message" => "%{NGINXACCESS}" } }
geoip {
source => "clientip"
target => "geoip"
#database => "/usr/local/logstash/GeoLite2-City.mmdb"
database => "/usr/local/src/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
} mutate {
convert => [ "[geoip][coordinates]", "float" ]
convert => [ "response","integer" ]
convert => [ "bytes","integer" ]
}
mutate {remove_field => ["message"]}
date {
match => [ "timestamp","dd/MMM/yyyy:HH:mm:ss Z"]
}
mutate {
remove_field => "timestamp"
}
} output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "192.168.100.71"
#protocol => "http"
index => "logstash-nginx-access-log-%{+YYYY.MM.dd}"
}
}
3.创建存放logstash格式化Nginx日志的文件。
mkdir -pv /usr/local/logstash/patterns [root@elk-node1 ]# vim/usr/local/logstash/patterns/nginx
ERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:clientip} - %{NOTSPACE:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NOTSPACE:http_x_forwarded_for} #这个格式要和Nginx的 log_format格式保持一致.
假如说我 nginx 日志在加上一个 nginx 响应时间呢?修改格式加上”request_time”:
修改日志结构生成数据:
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" $request_time';
修改一下 nginx 的正则匹配,多加一个选项:
[root@elk-node1 patterns]# cat nginx
NGUSERNAME [a-zA-Z\.\@\-\+_%]+
NGUSER %{NGUSERNAME}
NGINXACCESS %{IPORHOST:clientip} - %{NGUSER:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes:float}|-) %{QS:referrer} %{QS:agent} %{NOTSPACE:http_x_forwarded_for} %{NUMBER:request_time:float}
~
~
附一份当时生产环境自己的logstash.conf配置实例(logstash-5.2.2的conf文件):
input {
redis {
data_type => "list"
key => "uc01-nginx-access-logs"
host => "192.168.100.71"
port => ""
db => ""
password => "juzi1@#$%QW"
}
redis {
data_type => "list"
key => "uc02-nginx-access-logs"
host => "192.168.100.71"
port => ""
db => ""
password => "juzi1@#$%QW"
}
redis {
data_type => "list"
key => "p-nginx-access-logs"
host => "192.168.100.71"
port => ""
db => ""
password => "juzi1@#$%QW"
}
redis {
data_type => "list"
key => "https-nginx-access-logs"
host => "192.168.100.71"
port => ""
db => ""
password => "juzi1@#$%QW"
}
redis {
data_type => "list"
key => "rms01-nginx-access-logs"
host => "192.168.100.71"
port => ""
db => ""
password => "juzi1@#$%QW"
}
redis {
data_type => "list"
key => "rms02-nginx-access-logs"
host => "192.168.100.71"
port => ""
db => ""
password => "juzi1@#$%QW"
}
}
filter {
if [path] =~ "nginx" {
grok {
patterns_dir => "./patterns"
match => { "message" => "%{NGINXACCESS}" }
}
mutate {
remove_field => ["message"]
}
mutate {
remove_field => "timestamp"
}
date {
match => [ "timestamp","dd/MMM/yyyy:HH:mm:ss Z"]
}
geoip {
source => "clientip"
target => "geoip"
database => "/usr/local/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
else {
drop {}
}
}
output {
if [type] == "uc01-nginx-access" {
elasticsearch {
hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]
index => "logstash-uc01-log-%{+YYYY.MM.dd}"
user => logstash_internal
password => changeme
}
}
if [type] == "uc02-nginx-access" {
elasticsearch {
hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]
index => "logstash-uc02-log-%{+YYYY.MM.dd}"
user => logstash_internal
password => changeme
}
}
if [type] == "p-nginx-access" {
elasticsearch {
hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]
index => "logstash-p-log-%{+YYYY.MM.dd}"
user => logstash_internal
password => changeme
}
}
if [type] == "https-nginx-access" {
elasticsearch {
hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]
index => "logstash-api-log-%{+YYYY.MM.dd}"
user => logstash_internal
password => changeme
}
}
if [type] == "rms01-nginx-access" {
elasticsearch {
hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]
index => "logstash-rms01-log-%{+YYYY.MM.dd}"
user => logstash_internal
password => changeme
}
}
if [type] == "rms02-nginx-access" {
elasticsearch {
hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]
index => "logstash-rms02-log-%{+YYYY.MM.dd}"
user => logstash_internal
password => changeme
}
}
}
logstash_indexer.conf
[root@localhost ~]$cd /usr/local/logstash-5.2./etc
[root@localhost etc]$ cat logstash_agentd.conf
input {
file {
type => "web-nginx-access"
path => "/usr/local/nginx/logs/access.log"
} } output{
#file {
# path => "/tmp/%{+YYYY-MM-dd}.messages.gz"
# gzip => true
#} redis {
data_type => "list"
key => "web01-nginx-access-logs"
host => "192.168.100.71"
port => ""
db => ""
password => "@#$%QW" } }
logstash_agentd.conf
ELK filter过滤器来收集Nginx日志的更多相关文章
- ELK 二进制安装并收集nginx日志
对于日志来说,最常见的需求就是收集.存储.查询.展示,开源社区正好有相对应的开源项目:logstash(收集).elasticsearch(存储+搜索).kibana(展示),我们将这三个组合起来的技 ...
- ELK Stack (2) —— ELK + Redis收集Nginx日志
ELK Stack (2) -- ELK + Redis收集Nginx日志 摘要 使用Elasticsearch.Logstash.Kibana与Redis(作为缓冲区)对Nginx日志进行收集 版本 ...
- ELK日志系统之使用Rsyslog快速方便的收集Nginx日志
常规的日志收集方案中Client端都需要额外安装一个Agent来收集日志,例如logstash.filebeat等,额外的程序也就意味着环境的复杂,资源的占用,有没有一种方式是不需要额外安装程序就能实 ...
- 安装logstash5.4.1,并使用grok表达式收集nginx日志
关于收集日志的方式,最简单性能最好的应该是修改nginx的日志存储格式为json,然后直接采集就可以了. 但是实际上会有一个问题,就是如果你之前有很多旧的日志需要全部导入elk上查看,这时就有两个问题 ...
- 第七章·Logstash深入-收集NGINX日志
1.NGINX安装配置 源码安装nginx 因为资源问题,我们先将nginx安装在Logstash所在机器 #安装nginx依赖包 [root@elkstack03 ~]# yum install - ...
- ELK实践(二):收集Nginx日志
Nginx访问日志 这里补充下Nginx访问日志使用的说明.一般在nginx.conf主配置文件里需要定义一种格式: log_format main '$remote_addr - $remote_u ...
- Docker 部署 ELK 收集 Nginx 日志
一.简介 1.核心组成 ELK由Elasticsearch.Logstash和Kibana三部分组件组成: Elasticsearch是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引 ...
- ELK学习实验014:Nginx日志JSON格式收集
1 Kibana的显示配置 https://demo.elastic.co/app/kibana#/dashboard/welcome_dashboard 环境先处理干净 安装nginx和httpd- ...
- ELASTIC 5.2部署并收集nginx日志
elastic 5.2集群安装笔记 设计架构如下: nginx_json_log ->filebeat ->logstash ->elasticsearch ->kiban ...
随机推荐
- Centos6.9安装JDK1.8
https://blog.csdn.net/zhangjm123/article/details/80784930
- 如何在Python之Flask中使用https链接
[Flask]在Flask中使用HTTPS 转自:http://www.jianshu.com/p/5ea147e03255
- RedHat中代理设置
YUM代理设置 编辑/etc/yum.conf,在最后加入 # Proxy proxy=http://username:password@proxy_ip:port/ 也可以使用proxy_usern ...
- 设计模式之原型模式(深入理解OC中的NSCopying协议以及浅拷贝、深拷贝)
原型模式:用原型实例指定创建对象的种类,并且通过拷贝这些原型创建新的对象.原型模式其实就是从一个对象再创建另一个可定制的对象,而且不需知道任何创建的细节. 比如说,有一个Person类,有firstN ...
- 无线投屏PC投电视
http://www.waxrain.com/index.html 电脑投到电视上,看看PPT,显示电脑屏幕完全ok.
- Delphi实现RGB色环的代码绘制(XE10.2+WIN764)
相关资料: http://blog.csdn.net/tokimemo/article/details/18702689 http://www.myexception.cn/delphi/215402 ...
- 网络构建入门技术(1)——IP概述
说明(2017-5-10 11:02:31): 0. IP地址的作用,TCP/IP,网络层,包,源IP(哪个设备发出).目的IP(数据要发到哪个设备),每个设备需要唯一的一个IP地址.32个0到32个 ...
- 基于bootstrup3全屏宽度的响应式jQuery幻灯片特效
这是一款效果非常酷的基于Bootstrup3.x和HTML5的响应式全屏宽度jQuery幻灯片特效.该幻灯片能自适应屏幕的宽度,使用HTML5的data属性来指定幻灯片所需的各种属性.使用简单,界面美 ...
- linux 删除文件,df空间不变化
今天遇到一个问题,就是linux服务器空间满了,可是删除了软件后. 查看空间,没有变化 ???啥情况 那么去查看删除的情况吧. [root@VM_0_4_centos usr]# lsof|grep ...
- # Writing your first Django app, part 2
创建admin用户 D:\desktop\todoList\Django\mDjango\demoSite>python manage.py createsuperuser 然后输入密码 进入a ...