.jpg)
將nginx日志通過(guò)filebeat收集后傳入logstash,經(jīng)過(guò)logstash處理后寫(xiě)入elasticsearch。filebeat只負(fù)責(zé)收集工作,logstash完成日志的格式化,數(shù)據(jù)的替換,拆分 ,以及將日志寫(xiě)入elasticsearch后的索引的創(chuàng)建。
1、配置nginx日志格式
log_format?main????'$remote_addr?$http_x_forwarded_for?[$time_local]?$server_name?$request?'? ????????????'$status?$body_bytes_sent?$http_referer?'? ????????????'"$http_user_agent"?' ????????????'"$connection"?' ????????????'"$http_cookie"?' ????????????'$request_time?' ????????????'$upstream_response_time';
2、安裝配置filebeat,啟用nginx module
tar?-zxvf?filebeat-6.2.4-linux-x86_64.tar.gz?-c?/usr/local cd?/usr/local;ln?-s?filebeat-6.2.4-linux-x86_64?filebeat cd?/usr/local/filebeat
啟用nginx模塊
./filebeat?modules?enable?nginx
查看模塊
./filebeat?modules?list
創(chuàng)建配置文件
vim?/usr/local/filebeat/blog_module_logstash.yml filebeat.modules: -?module:?nginx ?access: ??enabled:?true ??var.paths:?["/home/weblog/blog.cnfol.com_access.log"] ?#error: ?#?enabled:?true ?#?var.paths:?["/home/weblogerr/blog.cnfol.com_error.log"] output.logstash: ?hosts:?["192.168.15.91:5044"]
啟動(dòng)filebeat
./filebeat?-c?blog_module_logstash.yml?-e
3、配置logstash
tar?-zxvf?logstash-6.2.4.tar.gz?/usr/local cd?/usr/local;ln?-s?logstash-6.2.4?logstash 創(chuàng)建一個(gè)nginx日志的pipline文件 cd?/usr/local/logstash
logstash內(nèi)置的模板目錄
vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns
編輯 grok-patterns 添加一個(gè)支持多ip的正則
forword?(?:%{ipv4}[,]?[?]?)+|%{word}
官方grok
#
創(chuàng)建logstash pipline配置文件
#input?{ #?stdin?{} #} #?從filebeat接受數(shù)據(jù) input?{ ?beats?{ ?port?=>?5044 ?host?=>?"0.0.0.0" ?} } filter?{ ?#?添加一個(gè)調(diào)試的開(kāi)關(guān) ?mutate{add_field?=>?{"[@metadata][debug]"=>true}} ?grok?{ ?#?過(guò)濾nginx日志 ?#match?=>?{?"message"?=>?"%{nginxaccess_test2}"?} ?#match?=>?{?"message"?=>?'%{iporhost:clientip}?#?(?<http_x_forwarded_for>[^#]*)?#?[%{httpdate:[@metadata][webtime]}]?#?%{notspace:hostname}?#?%{word:verb}?%{uripathparam:request}?http/%{number:httpversion}?#?%{number:response}?#?(?:%{number:bytes}|-)?#?(?:"(?:%{notspace:referrer}|-)"|%{notspace:referrer}|-)?#?(?:"(?<http_user_agent>[^#]*)")?#?(?:"(?:%{number:connection}|-)"|%{number:connection}|-)?#?(?:"(?<cookies>[^#]*)")?#?%{number:request_time:float}?#?(?:%{number:upstream_response_time:float}|-)'?} ?#match?=>?{?"message"?=>?'(?:%{iporhost:clientip}|-)?(?:%{two_ip:http_x_forwarded_for}|%{ipv4:http_x_forwarded_for}|-)?[%{httpdate:[@metadata][webtime]}]?(?:%{hostname:hostname}|-)?%{word:method}?%{uripathparam:request}?http/%{number:httpversion}?%{number:response}?(?:%{number:bytes}|-)?(?:"(?:%{notspace:referrer}|-)"|%{notspace:referrer}|-)?%{qs:agent}?(?:"(?:%{number:connection}|-)"|%{number:connection}|-)?(?:"(?<cookies>[^#]*)")?%{number:request_time:float}?(?:%{number:upstream_response_time:float}|-)'?} ????match?=>?{?"message"?=>?'(?:%{iporhost:clientip}|-)?%{forword:http_x_forwarded_for}?[%{httpdate:[@metadata][webtime]}]?(?:%{hostname:hostname}|-)?%{word:method}?%{uripathparam:request}?http/%{number:httpversion}?%{number:response}?(?:%{number:bytes}|-)?(?:"(?:%{notspace:referrer}|-)"|%{notspace:referrer}|-)?%{qs:agent}?(?:"(?:%{number:connection}|-)"|%{number:connection}|-)?%{qs:cookie}?%{number:request_time:float}?(?:%{number:upstream_response_time:float}|-)'?} ?} ?#?將默認(rèn)的@timestamp(beats收集日志的時(shí)間)的值賦值給新字段@read_tiimestamp ?ruby?{? ?#code?=>?"event.set('@read_timestamp',event.get('@timestamp'))" ?#將時(shí)區(qū)改為東8區(qū) ?code?=>?"event.set('@read_timestamp',event.get('@timestamp').time.localtime?+?8*60*60)" ?} ?#?將nginx的日志記錄時(shí)間格式化 ?#?格式化時(shí)間?20/may/2015:21:05:56?+0000 ?date?{ ?locale?=>?"en" ?match?=>?["[@metadata][webtime]","dd/mmm/yyyy:hh:mm:ss?z"] ?} ?#?將bytes字段由字符串轉(zhuǎn)換為數(shù)字 ?mutate?{ ?convert?=>?{"bytes"?=>?"integer"} ?} ?#?將cookie字段解析成一個(gè)json ?#mutate?{ ?#?gsub?=>?["cookies",';',','] ?#}? ?#?如果有使用到cdn加速http_x_forwarded_for會(huì)有多個(gè)ip,第一個(gè)ip是用戶(hù)真實(shí)ip ?if[http_x_forwarded_for]?=~?",?"{ ?????ruby?{ ?????????code?=>?'event.set("http_x_forwarded_for",?event.get("http_x_forwarded_for").split(",")[0])' ????????} ????} ?#?解析ip,獲得ip的地理位置 ?geoip?{ ?source?=>?"http_x_forwarded_for" ?#?#?只獲取ip的經(jīng)緯度、國(guó)家、城市、時(shí)區(qū) ?fields?=>?["location","country_name","city_name","region_name"]? ?} ?#?將agent字段解析,獲得瀏覽器、系統(tǒng)版本等具體信息 ?useragent?{ ?source?=>?"agent" ?target?=>?"useragent" ?} ?#指定要?jiǎng)h除的數(shù)據(jù) ?#mutate{remove_field=>["message"]} ?#?根據(jù)日志名設(shè)置索引名的前綴 ?ruby?{ ?code?=>?'event.set("@[metadata][index_pre]",event.get("source").split("/")[-1])' ?}? ?#?將@timestamp?格式化為2019.04.23 ?ruby?{ ?code?=>?'event.set("@[metadata][index_day]",event.get("@timestamp").time.localtime.strftime("%y.%m.%d"))' ?} ?#?設(shè)置輸出的默認(rèn)索引名 ?mutate?{ ?add_field?=>?{ ??#"[@metadata][index]"?=>?"%{@[metadata][index_pre]}_%{+yyyy.mm.dd}" ??"[@metadata][index]"?=>?"%{@[metadata][index_pre]}_%{@[metadata][index_day]}" ?} ?} ?#?將cookies字段解析成json #?mutate?{ #?gsub?=>?[ #??"cookies",?";",?",", #??"cookies",?"=",?":" #?] #?#split?=>?{"cookies"?=>?","} #?} #?json_encode?{ #?source?=>?"cookies" #?target?=>?"cookies_json" #?} #?mutate?{ #?gsub?=>?[ #??"cookies_json",?',',?'","', #??"cookies_json",?':',?'":"' #?] #?} #?json?{ #?source?=>?"cookies_json" #?target?=>?"cookies2" #?} ?#?如果grok解析存在錯(cuò)誤,將錯(cuò)誤獨(dú)立寫(xiě)入一個(gè)索引 ?if?"_grokparsefailure"?in?[tags]?{ ?#if?"_dateparsefailure"?in?[tags]?{ ?mutate?{ ??replace?=>?{ ??#"[@metadata][index]"?=>?"%{@[metadata][index_pre]}_failure_%{+yyyy.mm.dd}" ??"[@metadata][index]"?=>?"%{@[metadata][index_pre]}_failure_%{@[metadata][index_day]}" ??} ?} ?#?如果不存在錯(cuò)誤就刪除message ?}else{ ?mutate{remove_field=>["message"]} ?} } output?{ ?if?[@metadata][debug]{ ?#?輸出到rubydebuyg并輸出metadata ?stdout{codec?=>?rubydebug{metadata?=>?true}} ?}else{ ?#?將輸出內(nèi)容轉(zhuǎn)換成?"." ?stdout{codec?=>?dots}? ?#?將輸出到指定的es ?elasticsearch?{ ??hosts?=>?["192.168.15.160:9200"] ??index?=>?"%{[@metadata][index]}" ??document_type?=>?"doc" ?}? ?} }</cookies></cookies></http_user_agent></http_x_forwarded_for>
啟動(dòng)logstash
nohup?bin/logstash?-f?test_pipline2.conf?&
? 版權(quán)聲明
文章版權(quán)歸作者所有,未經(jīng)允許請(qǐng)勿轉(zhuǎn)載。
THE END
.png)
