这里补充下Nginx访问日志使用的说明。一般在nginx.conf主配置文件里需要定义一种格式:
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" $request_time';上面的格式我是基于默认的加了一个$request_time。
然后子配置使用:
access_log logs/myapp.log main;即可。
Filebeat采集日志数据到ElasticSearch配置:
su -e elk cd /usr/local/elk vim beats/filebeat/filebeat.test_nginx.yml配置详情:
filebeat.prospectors: - type: log input_type: log paths: - /work/yphp/nginx/logs/*.log tags: ["ngx", "yujc"] fields: logIndex: nginx docType: nginx-access fields_under_root: true tail_files: false output.elasticsearch: hosts: ["127.0.0.1:9200"] index: "test-nginx-%{+yyyy.MM.dd}"配置说明:
filebeat.prospectors:
type 日志类型,默认log
input_type 输入类型,默认log
paths 采集的日志,可以使用通配符。支持多个
tags 自定义标签,是个数组。自定义
fields 自定义字段
fields_under_root 自定义字段是否追加到根。如果为false,fields配置的字段键名是fields
tail_files 是否从末尾开始采集
document_type 自定义字段,用于Logsatsh区分来源,在Logsatsh里用变量type表示
output.elasticsearch:
hosts 配置ES节点,数组格式,支持多个。
index 配置ES索引。不配置使用默认的 filebeat-*
protocol 配置协议,例如http,https
username 配置ES用户名,例如elastic
password 配置ES密码,例如changeme
设置权限600,并启动filebeat:
chmod -R 600 beats/filebeat/filebeat.test_nginx.yml ./beats/filebeat/filebeat -c beats/filebeat/filebeat.test_nginx.yml然后访问Nginx应用,查看ES是否新增了一个索引:
$ curl :9200/_cat/indices?v | grep test-nginx % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 105 1161 105 1161 0 0 123k 0 --:--:-- --:--:-- --:--:-- 125k yellow open test-nginx-2018.09.24 ArxrVVOkTjG8ZlXJjb9bVg 5 1 1 0 11.6kb 11.6kb我们查看一条数据:
$ curl :9200/test-nginx-2018.09.24/_search?q=*&size=1 { "_index": "test-nginx-2018.09.24", "_type": "doc", "_id": "AWYKkBqtJzfnbYlB_DRX", "_version": 1, "_score": null, "_source": { "@timestamp": "2018-09-24T07:51:43.140Z", "beat": { "hostname": "2106567e5bce", "name": "2106567e5bce", "version": "5.6.2" }, "docType": "nginx-access", "input_type": "log", "logIndex": "nginx", "message": "172.16.10.1 - - [24/Sep/2018:07:51:40 +0000] \"GET /?time=22 HTTP/1.1\" 200 97991 \"-\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36\" \"-\" 0.009", "offset": 5243, "source": "/work/yphp/nginx/logs/hello71.log", "tags": [ "ngx", "yujc" ], "type": "log" }, "fields": { "@timestamp": [ 1537775503140 ] }, "sort": [ 1537775503140 ] }可以看到已经有数据了。但是日志内容作为一个整体(字段是message)了。
Filebeat采集日志数据,Logstash过滤发到ElasticSearch配置:
su -e elk cd /usr/local/elk vim beats/filebeat/filebeat.test_nginx2.yml配置详情:
filebeat.prospectors: - type: log input_type: log paths: - /work/yphp/nginx/logs/*.log tags: ["ngx", "yujc"] fields: logIndex: nginx docType: nginx-access fields_under_root: true tail_files: false output.logstash: hosts: ["127.0.0.1:5044"]配置logstash
su -e elk cd /usr/local/elk vim logstash/config/conf.d/filebeat.conf配置详情:
input { beats { port => 5044 } } filter { grok { match => { "message" => "%{IPORHOST:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:time}\] \"%{WORD:method} %{DATA:url} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent:bytes} \"%{DATA:referrer}\" \"%{DATA:agent}\" \"%{DATA:x_forwarded_for}\" %{NUMBER:request_time}" } remove_field => "message" } } output { elasticsearch { hosts => ["127.0.0.1:9200"] index => "test-nginx2-%{type}-%{+YYYY.MM.dd}" document_type => "%{type}" } stdout { codec => rubydebug } }我使用的nginx日志格式是在标准格式后面加了2个字段$http_x_forwarded_for和$request_time:
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" $request_time';日志示例:
172.16.10.1 - - [24/Sep/2018:09:04:40 +0000] "GET /?time=2244 HTTP/1.1" 200 98086 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36" "-" 0.002上面的grok表达式是:
%{IPORHOST:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:time}\] \"%{WORD:method} %{DATA:url} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent:bytes} \"%{DATA:referrer}\" \"%{DATA:agent}\" \"%{DATA:x_forwarded_for}\" %{NUMBER:request_time}