前面已经有ELK-Redis的安装,此处只讲在不改变日志格式的情况下收集Nginx日志.

1.Nginx端的日志格式设置如下:

log_format  access  '$remote_addr - $remote_user [$time_local] "$request" '

            '$status $body_bytes_sent "$http_referer" '

            '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /usr/local/nginx/logs/access.log  access;

2.Nginx端logstash-agent的配置如下:

[root@localhost conf]# cat logstash_agent.conf

input {

  file {

    path => [ "/usr/local/nginx/logs/access.log" ]

    type => "nginx_access"

 }

}

output {

  redis {

    data_type => "list"

    key => "nginx_access_log"

    host => "192.168.100.70"

    port => "6379"

 }

}

3.logstash_indexer的配置如下:

[root@elk-node1 conf]# cat logstash_indexer.conf

input {

  redis {

    data_type => "list"

    key => "nginx_access_log"

    host => "192.168.100.70"

    port => "6379"

 }

}

filter {

  grok {

    patterns_dir => "./patterns"

    match => { "message" => "%{NGINXACCESS}" }

  }

  geoip {

    source => "clientip"

    target => "geoip"

    #database => "/usr/local/logstash/GeoLite2-City.mmdb"

    database => "/usr/local/src/GeoLiteCity.dat"

    add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]

    add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]

  }

  mutate {

    convert => [ "[geoip][coordinates]", "float" ]

    convert => [ "response","integer" ]

    convert => [ "bytes","integer" ]

  }

  mutate {remove_field => ["message"]}

  date {

    match => [ "timestamp","dd/MMM/yyyy:HH:mm:ss Z"]

  }

  mutate {

    remove_field => "timestamp"

  }

}

output {

  #stdout { codec => rubydebug }

  elasticsearch {

      hosts => "192.168.100.71"

      #protocol => "http"

      index => "logstash-nginx-access-log-%{+YYYY.MM.dd}"

 }

}

3.创建存放logstash格式化Nginx日志的文件。

mkdir -pv /usr/local/logstash/patterns

[root@elk-node1 ]# vim/usr/local/logstash/patterns/nginx

ERNAME [a-zA-Z\.\@\-\+_%]+

NGUSER %{NGUSERNAME}

NGINXACCESS %{IPORHOST:clientip} - %{NOTSPACE:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QS:referrer} %{QS:agent} %{NOTSPACE:http_x_forwarded_for}

#这个格式要和Nginx的 log_format格式保持一致.

 假如说我 nginx 日志在加上一个 nginx 响应时间呢?修改格式加上”request_time”:  

修改日志结构生成数据:

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

                '$status $body_bytes_sent "$http_referer" '

                '"$http_user_agent" "$http_x_forwarded_for" $request_time';

修改一下 nginx 的正则匹配,多加一个选项:

[root@elk-node1 patterns]# cat nginx

NGUSERNAME [a-zA-Z\.\@\-\+_%]+

NGUSER %{NGUSERNAME}

NGINXACCESS %{IPORHOST:clientip} - %{NGUSER:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes:float}|-) %{QS:referrer} %{QS:agent} %{NOTSPACE:http_x_forwarded_for} %{NUMBER:request_time:float}

~

~

附一份当时生产环境自己的logstash.conf配置实例(logstash-5.2.2的conf文件):

input {

  redis {

    data_type => "list"

    key => "uc01-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  } 

  redis {

    data_type => "list"

    key => "uc02-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  }

  redis {

    data_type => "list"

    key => "p-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  }

  redis {

    data_type => "list"

    key => "https-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  }

  redis {

    data_type => "list"

    key => "rms01-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  }

  redis {

    data_type => "list"

    key => "rms02-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "juzi1@#$%QW"

  }

}

filter {

  if [path] =~ "nginx" {

    grok {

      patterns_dir => "./patterns"

      match => { "message" => "%{NGINXACCESS}" }

    }

    mutate {

      remove_field => ["message"]

    }

    mutate {

      remove_field => "timestamp"

    }

    date {

    match => [ "timestamp","dd/MMM/yyyy:HH:mm:ss Z"]

  }

    geoip {

    source => "clientip"

    target => "geoip"

    database => "/usr/local/GeoLite2-City.mmdb"

    add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]

    add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]

    }

    mutate {

    convert => [ "[geoip][coordinates]", "float" ]

    }

  }

  else {

    drop {}

  }

}

output {

  if [type] == "uc01-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-uc01-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

  if [type] == "uc02-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-uc02-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

  if [type] == "p-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-p-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

  if [type] == "https-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-api-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

  if [type] == "rms01-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-rms01-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

  if [type] == "rms02-nginx-access" {

    elasticsearch {

      hosts => [ "192.168.100.70:9200","192.168.100.71:9200" ]

      index => "logstash-rms02-log-%{+YYYY.MM.dd}"

      user => logstash_internal

      password => changeme

    }

  }

}

logstash_indexer.conf

[root@localhost ~]$cd /usr/local/logstash-5.2./etc

[root@localhost etc]$ cat logstash_agentd.conf

input {

  file {

    type => "web-nginx-access"

    path => "/usr/local/nginx/logs/access.log"

  }

}

output{

  #file {

  #  path => "/tmp/%{+YYYY-MM-dd}.messages.gz"

  #  gzip => true

  #}

  redis {

    data_type => "list"

    key => "web01-nginx-access-logs"

    host => "192.168.100.71"

    port => ""

    db => ""

    password => "@#$%QW"

  }

}

logstash_agentd.conf

ELK filter过滤器来收集Nginx日志的更多相关文章

  1. ELK 二进制安装并收集nginx日志

    对于日志来说,最常见的需求就是收集.存储.查询.展示,开源社区正好有相对应的开源项目:logstash(收集).elasticsearch(存储+搜索).kibana(展示),我们将这三个组合起来的技 ...

  2. ELK Stack (2) —— ELK + Redis收集Nginx日志

    ELK Stack (2) -- ELK + Redis收集Nginx日志 摘要 使用Elasticsearch.Logstash.Kibana与Redis(作为缓冲区)对Nginx日志进行收集 版本 ...

  3. ELK日志系统之使用Rsyslog快速方便的收集Nginx日志

    常规的日志收集方案中Client端都需要额外安装一个Agent来收集日志,例如logstash.filebeat等,额外的程序也就意味着环境的复杂,资源的占用,有没有一种方式是不需要额外安装程序就能实 ...

  4. 安装logstash5.4.1,并使用grok表达式收集nginx日志

    关于收集日志的方式,最简单性能最好的应该是修改nginx的日志存储格式为json,然后直接采集就可以了. 但是实际上会有一个问题,就是如果你之前有很多旧的日志需要全部导入elk上查看,这时就有两个问题 ...

  5. 第七章·Logstash深入-收集NGINX日志

    1.NGINX安装配置 源码安装nginx 因为资源问题,我们先将nginx安装在Logstash所在机器 #安装nginx依赖包 [root@elkstack03 ~]# yum install - ...

  6. ELK实践(二):收集Nginx日志

    Nginx访问日志 这里补充下Nginx访问日志使用的说明.一般在nginx.conf主配置文件里需要定义一种格式: log_format main '$remote_addr - $remote_u ...

  7. Docker 部署 ELK 收集 Nginx 日志

    一.简介 1.核心组成 ELK由Elasticsearch.Logstash和Kibana三部分组件组成: Elasticsearch是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引 ...

  8. ELK学习实验014:Nginx日志JSON格式收集

    1 Kibana的显示配置 https://demo.elastic.co/app/kibana#/dashboard/welcome_dashboard 环境先处理干净 安装nginx和httpd- ...

  9. ELASTIC 5.2部署并收集nginx日志

    elastic 5.2集群安装笔记   设计架构如下: nginx_json_log ->filebeat ->logstash ->elasticsearch ->kiban ...

随机推荐

  1. ubuntu下上传本地代码到github

    在github上有两种方法上传代码,一种是通过https,一种是通过SSH,这篇主要分享的是通过https的方法上传 首先,将你项目的所有代码放在一个文件夹中,然后在github上创建一个新的仓库 然 ...

  2. iOS隐藏状态栏

    1.整个项目隐藏状态栏 在Targets->General->勾选中Hide status bar . 整个项目隐藏状态栏 2.单个界面隐藏状态栏,例如登录注册页面 1.首先在info.p ...

  3. 算法篇---java经典问题!!!

    问题一:==与equal的区别? ==和 equals 都是比较的,而前者是运算符,后者则是一个方法,基本数据类型和引用数据类型都可以使用运算符==,而只有引用类型数据才可以使用 equals,下面具 ...

  4. mysql 实现多列唯一性约束

    alter table j_assistants add constraint unique_name_course_class unique(name_id,course_id,class_id);

  5. The type name 'IComponentConnector' could not be found in the namespace 'System.Windows.Markup'

    场景:Visual Studio写WPF项目时,想要生成XML文件,默认的WPF项目没有引入System.XML这个dll.在[解决方案资源管理器——引用]右键添加了System.XML引用后,运行项 ...

  6. Redis提供的持久化机制(一)

    Redis提供的持久化机制 redis是一个内存数据库,也就是说它的所有的数据都是保存在内存中的,而内存中的数据当程序结束时就会消失,所以我们要想办法把内存中的数据写到磁盘中.当程序异常退出或者正常退 ...

  7. flume1.8实现hdfsSink整点滚动文件

    由于官方的1.8版本hdfs-sink不能在每天的0点滚动文件,所以修改了flume-hdfs-sink源码. flume-hdfs-sink中修改了HDFSEventSink.java文件,其他文件 ...

  8. Http接口获取数据写入Hdfs

    数据源类型:数组列表 [{field:value}, {field:value}, {field:value}, {field:value}] 1. 定义http数据源链接 package com.e ...

  9. linux下gzip的压缩/解压缩详解

    linux下gzip的压缩详解 Linux压缩保留源文件的方法: gzip –c filename > filename.gz Linux解压缩保留源文件的方法: gunzip –c filen ...

  10. 搭建自己的挂Q平台

    准备工作: 在前篇[分享]免费建立自己的站点里面介绍了怎么申请免费域名和空间. 在这里[随记]Q号解除限制一波三折有我被挂Q工具坑苦的经历. 在网上(出处不明了,下载的包太多,非CSDN)下载到的免费 ...