logstash 添加nginx日志
选择需求分类废话少说直接上图
第一张图:
2.此图搭配的日志格式是:
log_format main '$remote_addr - $remote_user [$time_local] $http_host $request_method "$uri" "$query_string" '
'$status $body_bytes_sent "$http_referer" $upstream_status $upstream_addr $request_time $upstream_response_time '
'"$http_user_agent" "$http_cdn_src_ip" "$http_x_forwarded_for"' ;
3.写正则放在那里呢?
放在logstash 解压目录下,创建一个 patterns/nginx文件
URIPARM1 [A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\-\[\]]*
URIPATH1 (?:/[A-Za-z0-9$.+!*'(){},~:;=@#%&_\- ]*)+
URI1 (%{URIPROTO}://)?(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
HOSTPORT %{IPORHOST}:%{POSINT}
NGINXACCESS %{IPORHOST:remote_ip} - (%{USERNAME:user}|-) \[%{HTTPDATE:log_timestamp}\] %{HOSTNAME:http_host} %{WORD:request_method} \"%{URIPATH1:uri}\" \"%{URIPARM1:param}\" %{BASE10NUM:http_status} (?:%{BASE10NUM:body_bytes_sent}|-) \"(?:%{URI1:http_referrer}|-)\" (%{BASE10NUM:upstream_status}|-) (?:%{HOSTPORT:upstream_addr}|-) (%{BASE16FLOAT:upstream_response_time}|-) (%{BASE16FLOAT:request_time}|-) (?:%{QUOTEDSTRING:user_agent}|-) \"(%{IPV4:client_ip}|-)\" \"(%{WORD:x_forword_for}|-)\"
第二类 nginx默认log格式:
1.日志格式
(1)
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
(2)
log_format logstash '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent $request_time "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
2.patterns/nginx
(1)
WZ ([^ ]*)
NGINXACCESS %{IP:remote_ip} \- \- \[%{HTTPDATE:timestamp}\] "%{WORD:method} %{WZ:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:status} %{NUMBER:bytes} %{QS:referer} %{QS:agent} %{QS:xforward}
(2)
NGINXACCESS %{IP:remote_ip} \- \- \[%{HTTPDATE:timestamp}\] "%{WORD:method} %{WZ:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:status} %{NUMBER:bytes} %{BASE16FLOAT:request_time} %{QS:referer} %{QS:agent} \"%{IP:xforward}\"
(2)tomcat
3.一段小代码
input {
file {
path => [ "/var/log/nginx/access.log" ]
start_position => "beginning"
ignore_older => 0
}
}
filter {
grok {
match => { "message" => "%{NGINXACCESS}" }
}
geoip {
source => "remote_ip"
target => "geoip"
database => "/etc/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
convert => [ "response","integer" ]
convert => [ "bytes","integer" ]
replace => { "type" => "nginx_access" }
remove_field => "message"
}
date {
match => [ "timestamp","dd/MMM/yyyy:HH:mm:ss Z"]
}
mutate {
remove_field => "timestamp"
}
}
output {
elasticsearch {
hosts => ["elk01:9200","elk02:9200","elk03:9200"]
index => "logstash-nginx-access-%{+YYYY.MM.dd}"
}
stdout {codec => rubydebug} #调试的时候用的
}
以上两种都已经测试了
使用json添加nginxlogstash
log_format logstash_json '{ "@timestamp": "$time_iso8601",'
'"@version":"1",'
'"client": "$http_x_forwarded_for",'
'"request_method": "$request_method",'
'"request_uri": "$request_uri",'
'"status": $status,'
'"host": "$server_addr",'
'"size": $body_bytes_sent,'
'"responsetime": $request_time'
'}';
input {
file {
path => "/hwdata/logs/nginx/access_json.log"
type => "appstore-accesslog"
codec => "json"
}
}
filter {
mutate {
gsub => [
"client", ",*", "",
"client", "-", "本机IP"
]
}
geoip {
source => "client"
add_tag => [ "geoip" ]
database => "/etc/logstash/GeoLiteCity.dat"
fields => ["country_name", "country_code2","region_name", "city_name", "real_region_name", "latitude", "longitude"]
remove_field => [ "[geoip][longitude]", "[geoip][latitude]" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
output {
redis {
host => "redis_IP"
port => "6379"
db => "6"
data_type => "list"
key => "appstore-accesslog"
}
}
logstash 添加nginx日志的更多相关文章
- Kafka、Logstash、Nginx日志收集入门
Nginx作为网站的第一入口,其日志记录了除用户相关的信息之外,还记录了整个网站系统的性能,对其进行性能排查是优化网站性能的一大关键. Logstash是一个接收,处理,转发日志的工具.支持系统日志, ...
- Logstash收集nginx日志之使用grok过滤插件解析日志
grok作为一个logstash的过滤插件,支持根据模式解析文本日志行,拆成字段. nginx日志的配置: log_format main '$remote_addr - $remote_user [ ...
- logstash收集Nginx日志,转换为JSON格式
Nginx日志处理为JSON格式,并放置在http区块: log_format json '{"@timestamp":"$time_iso8601",' '& ...
- logstash收集nginx日志
(1)安装nginx 1.安装nginx yum install epel-release -y yum install nginx -y 2.修改日志文件格式为json #vim /etc/ngin ...
- logstash获取nginx日志的配置
nginx部分配置直接用json,省去很多麻烦 log_format json '{"@timestamp":"$time_iso8601",' '" ...
- logstash收集nginx访问日志
logstash收集nginx访问日志 安装nginx #直接yum安装: [root@elk-node1 ~]# yum install nginx -y 官方文档:http://nginx.org ...
- 第七章·Logstash深入-收集NGINX日志
1.NGINX安装配置 源码安装nginx 因为资源问题,我们先将nginx安装在Logstash所在机器 #安装nginx依赖包 [root@elkstack03 ~]# yum install - ...
- Logstash使用grok插件解析Nginx日志
grok表达式的打印复制格式的完整语法是下面这样的: %{PATTERN_NAME:capture_name:data_type}data_type 目前只支持两个值:int 和 float. 在线g ...
- ELK - nginx 日志分析及绘图
1. 前言 先上一张整体的效果图: 上面这张图就是通过 ELK 分析 nginx 日志所得到的数据,通过 kibana 的功能展示出来的效果图.是不是这样对日志做了解析,想要知道的数据一目了然.接下来 ...
随机推荐
- Mongodb 故障分享 初始化时"errmsg" : "exception: new file allocation failure" 并且长时间处于STARTUP2
Hello,大家下午好. 近几天的项目有点赶,所以耽误了更新.现在给大家分享下,在安装mongodb的过程中,遇到的故障一则.其实很小白的问题,当时遇到这个问题的时候比较心慌,浪费了很多时间,跟大家分 ...
- whereis 和which
这两个命令用的好,可以很快找出文件的路径 [root@oc3408554812 zip-3.0]# which passwd/usr/bin/passwd[root@oc3408554812 zip- ...
- cloudfoundry上搭建go服务端
虽然只有60天试用期,我还是把教程公布一下: 1. 注册一个cloudfoundry账号 https://console.run.pivotal.io/register 2. 安装CLI部署工具包 h ...
- 将 Tor socks 转换成 http 代理
你可以通过不同的 Tor 工具来使用 Tor 服务,如 Tor 浏览器.Foxyproxy 和其它东西,像 wget 和 aria2 这样的下载管理器不能直接使用 Tor socks 开始匿名下载,因 ...
- js关闭子窗口,刷新父窗口
父页面js:function btnAdd_onclick() {window.open("xxx.jsp", "","height=600, wid ...
- hdoj 5074
Problem Description Hatsune Miku is a popular virtual singer. It is very popular in both Japan and C ...
- openssl
openssl genrsa -des3 -out server.key 1024openssl req -new server.key -out servr.csr seserver-fnamese ...
- J2EE、J2SE、J2ME是什么意思?
本文介绍Java的三大块:J2EE.J2SE和J2ME.J2SE就是Java2的标准版,主要用于桌面应用软件的编程:J2ME主要应用于嵌入是系统开发,如手机和PDA的编程:J2EE是Java2的企业版 ...
- 持续集成配置-Teamcity
1.安装目录\buildagent\work\每个项目下一个文件夹\src下是源 目的: 2. 安装目录\buildagent\work\每个项目下一个文件夹\src下是源 目的是teamcity中配 ...
- kanboard邮件通知
1. 复制config.default.php为config.php 2. 修改一下内容 define('MAIL_TRANSPORT', 'smtp');define('MAIL_SMTP_HOST ...