Logstash处理Nginx日志

一、安装Nginx

这里下载的是nginx-1.18.0.tar.gz安装包,并将其直接放在root目录下。

  1. /usr/local/下创建nginx文件夹并进入
cd /usr/local
mkdir nginx
cd nginx
  1. nginx安装包解压到/usr/local/nginx中即可。
tar zxvf /root/nginx-1.18.0.tar.gz -C ./

二、预先安装额外的依赖

yum -y install pcre-devel 
yum -y install openssl openssl-devel

三、编译安装Nginx

cd nginx-1.18.0 
./configure 
make && make install

安装完成后,nginx的可执行文件位置位于 /usr/local/nginx/sbin/nginx

启动Nginx

直接执行命令:

[root@localhost sbin]# /usr/local/nginx/sbin/nginx

如果想要停止Nginx服务:

/usr/local/nginx/sbin/nginx -s stop

如果修改了配置文件后想重新加载Nginx:

/usr/local/nginx/sbin/nginx -s reload

注意:其配置文件位于:

/usr/local/nginx/conf/nginx.conf

五、浏览器启动验证

clipboard.png

六、在nginx里面配置日志格式化输出

进入配置文件,添加log_format。

vim /usr/local/nginx/conf/nginx.conf

log_format 写到http里面

log_format  main  "$http_x_forwarded_for | $time_local | $request | $status | $body_bytes_sent | $request_body | $content_length | $http_referer | $http_user_agent |"
                      "$http_cookie | $remote_addr | $hostname | $upstream_addr | $upstream_response_time | $request_time" ;

    access_log  /var/log/nginx/access.log  main;
clipboard1.png

里面定义了日志文件的位置,可以去那个位置新建文件。
配置之后,可以重启nginx

七、编辑logstash配置文件

进入到 logstash\logs 目录下,新建配置文件,例如logstash_nginx.conf

[root@localhost ~]# cd /usr/local/logstash/logstash-7.8.0/
[root@localhost logstash-7.8.0]# ls
bin     CONTRIBUTORS  Gemfile       hs_err_pid5608.log  lib          logs           logstash-core-plugin-api  NOTICE.TXT  test.conf  vendor
config  data          Gemfile.lock  l1.log              LICENSE.txt  logstash-core  modules                   sensor39    tools      x-pack
[root@localhost logstash-7.8.0]# cd logs
[root@localhost logs]# ls
logstash-deprecation.log            logstash-plain-2020-07-27-1.log.gz  logstash-plain-2020-07-28-2.log.gz  logstash-plain.log
logstash-plain-2020-07-24-1.log.gz  logstash-plain-2020-07-28-1.log.gz  logstash-plain-2020-07-28-3.log.gz  logstash-slowlog-plain.log
[root@localhost logs]#

 接下来开始在logstash创建处理nginx的配置文件。

input {
        file {
                path => ["/var/log/nginx/access.log"]
        }
}

filter {
        ruby {
                init => "@kname =['http_x_forwarded_for','time_local','request','status','body_bytes_sent','request_body','content_length','http_referer','http_user_agent','http_cookie','remote_addr','hostname','upstream_addr','upstream_response_time','request_time']"
                code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get('message').split('|'))])
                new_event.remove('@timestamp')
                event.append(new_event)
                "
        }

if [request] {
        ruby {
                init => "@kname = ['method','uri','verb']"
                code => "
                        new_event = LogStash::Event.new(Hash[@kname.zip(event.get('request').split(' '))])
                        new_event.remove('@timestamp')
                        event.append(new_event)
                "
        }
 } 
if [uri] {
        ruby{
                init => "@kname = ['url_path','url_args']"
                code => "
                        new_event = LogStash::Event.new(Hash[@kname.zip(event.get('uri').split('?'))])
                        new_event.remove('@timestamp')
                        event.append(new_event)
                "
        }
 }
kv {
        prefix =>"url_"
        source =>"url_args"
        field_split =>"&"
        include_keys => ["uid","cip"]
        remove_field => ["url_args","uri","request"]
}
mutate {
        convert => [
                "body_bytes_sent","integer",
                "content_length","integer",
                "upstream_response_time","float",
                "request_time","float"
        ]
 }
date {
        match => [ "time_local","dd/MMM/yyyy:hh:mm:ss Z" ]
        locale => "en"
 }
}
output{stdout{}}

 然后运行logstash。

./bin/logstash -f conf/logstash_nginx.conf

看一下结果:

{
           "http_user_agent" => " Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3775.400 QQBrowser/10.6.4208.400 ",
                  "url_path" => "/favicon.ico",
    "upstream_response_time" => 0.0,
                      "path" => "/var/log/nginx/access.log",
                    "method" => "GET",
                  "@version" => "1",
                  "url_args" => nil,
               "remote_addr" => " 192.168.0.128 ",
                "@timestamp" => 2020-07-29T06:49:03.675Z,
                   "message" => "- | 29/Jul/2020:14:47:09 +0800 | GET /favicon.ico HTTP/1.1 | 404 | 555 | - | - | - | Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3775.400 QQBrowser/10.6.4208.400 |- | 192.168.0.128 | localhost.localdomain | - | - | 0.000",
                   "request" => " GET /favicon.ico HTTP/1.1 ",
      "http_x_forwarded_for" => "- ",
                    "status" => " 404 ",
                "time_local" => " 29/Jul/2020:14:47:09 +0800 ",
            "content_length" => 0,
             "upstream_addr" => " - ",
                       "uri" => "/favicon.ico",
                      "host" => "localhost.localdomain",
              "http_referer" => " - ",
               "http_cookie" => "- ",
                      "tags" => [
        [0] "_dateparsefailure"
    ],
                      "verb" => "HTTP/1.1",
              "request_body" => " - ",
                  "hostname" => " localhost.localdomain ",
              "request_time" => 0.0,
           "body_bytes_sent" => 555
}
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。