Logstash收集nginx访问日志和错误日志

Stella981
• 阅读 855

1、收集访问日志

1)、首先是要在nginx里面配置日志格式化输出

log_format  main  "$http_x_forwarded_for | $time_local | $request | $status | $body_bytes_sent | $request_body | $content_length | $http_referer | $http_user_agent |"
                      "$http_cookie | $remote_addr | $hostname | $upstream_addr | $upstream_response_time | $request_time" ;

    access_log  /var/log/nginx/access.log  main;

2)、接下来开始在logstash创建处理nginx的配置文件

input {
        file {
                path => ["/var/log/nginx/access.log"]
        }
}

filter {
        ruby {
                init => "@kname =['http_x_forwarded_for','time_local','request','status','body_bytes_sent','request_body','content_length','http_referer','http_user_agent','http_cookie','remote_addr','hostname','upstream_addr','upstream_response_time','request_time']"
                code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get('message').split('|'))])
                new_event.remove('@timestamp')
                event.append(new_event)
                "
        }

if [request] {
        ruby {
                init => "@kname = ['method','uri','verb']"
                code => "
                        new_event = LogStash::Event.new(Hash[@kname.zip(event.get('request').split(' '))])
                        new_event.remove('@timestamp')
                        event.append(new_event)
                "
        }
 } 
if [uri] {
        ruby{
                init => "@kname = ['url_path','url_args']"
                code => "
                        new_event = LogStash::Event.new(Hash[@kname.zip(event.get('uri').split('?'))])
                        new_event.remove('@timestamp')
                        event.append(new_event)
                "
        }
 }
kv {
        prefix =>"url_"
        source =>"url_args"
        field_split =>"&"
        include_keys => ["uid","cip"]
        remove_field => ["url_args","uri","request"]
}
mutate {
        convert => [
                "body_bytes_sent","integer",
                "content_length","integer",
                "upstream_response_time","float",
                "request_time","float"
        ]
 }
date {
        match => [ "time_local","dd/MMM/yyyy:hh:mm:ss Z" ]
        locale => "en"
 }
}
output{stdout{}}

此处的例子借鉴ELKstack权威指南里面的例子,不过书中的例子有错,我这里修改好了,可以参考书籍39页和66页

github:https://github.com/weixinqing/Logstash-example/blob/master/initnginx.conf

3)、最后允许一下看一下效果所示:

{
                  "url_path" => "/",
           "body_bytes_sent" => 0,
                  "@version" => "1",
                   "message" => "- | 05/Mar/2019:16:21:40 +0800 | GET / HTTP/1.1 | 304 | 0 | - | - | - | Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 |- | 172.16.0.10 | elk-chaofeng07 | - | - | 0.000",
                      "host" => "ELK-chaofeng07",
               "http_cookie" => "- ",
             "upstream_addr" => " - ",
    "upstream_response_time" => 0.0,
                "@timestamp" => 2019-03-05T08:21:41.352Z,
                       "uri" => "/",
                   "request" => " GET / HTTP/1.1 ",
                      "path" => "/var/log/nginx/access.log",
                  "url_args" => nil,
                  "hostname" => " elk-chaofeng07 ",
                      "verb" => "HTTP/1.1",
           "http_user_agent" => " Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0 ",
                "time_local" => " 05/Mar/2019:16:21:40 +0800 ",
              "request_body" => " - ",
               "remote_addr" => " 172.16.0.10 ",
                    "status" => " 304 ",
              "request_time" => 0.0,
                    "method" => "GET",
              "http_referer" => " - ",
                      "tags" => [
        [0] "_dateparsefailure"
    ],
            "content_length" => 0,
      "http_x_forwarded_for" => "- "
}

唯一不足的就是中间报了个错误,可以自行解决一下。

2、收集错误日志

定义logstash处理的配置文件

input{
        file {
                path => ["/var/log/nginx/error.log"]
        }
}
filter{
        grok {
                match => {"message" => "(?<datetime>\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d) \[(?<errortype>\w+)\] \S+: \*\d+ (?<errormsg>[^,]+), \w+: %{IP:remotehost}, \w+: \w+, \w+: (?<request>[^,]+), \w+: \"%{IP:localhost}\""}
        }
        mutate {
                remove_field => ["message"]
        }
if [request] {
        ruby {
                init => "@kname = ['method','uri','verb']"
                code => "
                        new_event = LogStash::Event.new(Hash[@kname.zip(event.get('request').split(' '))])
                        new_event.remove('@timestamp')
                        event.append(new_event)
                "
        }
}

}
output{stdout{}}

查看一下效果:

{
      "@version" => "1",
          "path" => "/var/log/nginx/error.log",
    "remotehost" => "172.16.0.10",
       "request" => "\"GET /8 HTTP/1.1\"",
          "verb" => "HTTP/1.1\"",
           "uri" => "/8",
          "host" => "ELK-chaofeng07",
     "localhost" => "172.16.0.57",
        "method" => "\"GET",
    "@timestamp" => 2019-03-05T10:43:54.377Z,
      "datetime" => "2019/03/05 18:43:53",
      "errormsg" => "open() \"/usr/share/nginx/html/8\" failed (2: No such file or directory)",
     "errortype" => "error"
}
点赞
收藏
评论区
推荐文章
blmius blmius
3年前
MySQL:[Err] 1292 - Incorrect datetime value: ‘0000-00-00 00:00:00‘ for column ‘CREATE_TIME‘ at row 1
文章目录问题用navicat导入数据时,报错:原因这是因为当前的MySQL不支持datetime为0的情况。解决修改sql\mode:sql\mode:SQLMode定义了MySQL应支持的SQL语法、数据校验等,这样可以更容易地在不同的环境中使用MySQL。全局s
待兔 待兔
5个月前
手写Java HashMap源码
HashMap的使用教程HashMap的使用教程HashMap的使用教程HashMap的使用教程HashMap的使用教程22
Jacquelyn38 Jacquelyn38
3年前
2020年前端实用代码段,为你的工作保驾护航
有空的时候,自己总结了几个代码段,在开发中也经常使用,谢谢。1、使用解构获取json数据let jsonData  id: 1,status: "OK",data: 'a', 'b';let  id, status, data: number   jsonData;console.log(id, status, number )
Wesley13 Wesley13
3年前
4. Nginx模块
Nginx官方模块1.ngx\_http\_stub\_status\_modulehttp://nginx.org/en/docs/http/ngx\_http\_stub\_status\_module.html。(https://www.oschina.net/action/GoToLink?urlhttp%3A%2
Stella981 Stella981
3年前
KVM调整cpu和内存
一.修改kvm虚拟机的配置1、virsheditcentos7找到“memory”和“vcpu”标签,将<namecentos7</name<uuid2220a6d1a36a4fbb8523e078b3dfe795</uuid
Wesley13 Wesley13
3年前
00:Java简单了解
浅谈Java之概述Java是SUN(StanfordUniversityNetwork),斯坦福大学网络公司)1995年推出的一门高级编程语言。Java是一种面向Internet的编程语言。随着Java技术在web方面的不断成熟,已经成为Web应用程序的首选开发语言。Java是简单易学,完全面向对象,安全可靠,与平台无关的编程语言。
Stella981 Stella981
3年前
Django中Admin中的一些参数配置
设置在列表中显示的字段,id为django模型默认的主键list_display('id','name','sex','profession','email','qq','phone','status','create_time')设置在列表可编辑字段list_editable
Stella981 Stella981
3年前
Linux日志安全分析技巧
0x00前言我正在整理一个项目,收集和汇总了一些应急响应案例(不断更新中)。GitHub地址:https://github.com/Bypass007/EmergencyResponseNotes本文主要介绍Linux日志分析的技巧,更多详细信息请访问Github地址,欢迎Star。0x01日志简介Lin
Wesley13 Wesley13
3年前
MySQL部分从库上面因为大量的临时表tmp_table造成慢查询
背景描述Time:20190124T00:08:14.70572408:00User@Host:@Id:Schema:sentrymetaLast_errno:0Killed:0Query_time:0.315758Lock_
Python进阶者 Python进阶者
11个月前
Excel中这日期老是出来00:00:00,怎么用Pandas把这个去除
大家好,我是皮皮。一、前言前几天在Python白银交流群【上海新年人】问了一个Pandas数据筛选的问题。问题如下:这日期老是出来00:00:00,怎么把这个去除。二、实现过程后来【论草莓如何成为冻干莓】给了一个思路和代码如下:pd.toexcel之前把这