Logstash記錄Nginx服務(wù)器訪問(wèn)及錯(cuò)誤日志

nginx-log.conf

input {

? file {

? ? path =>"/nginx/access.log"

? ? start_position => "beginning" #第一次從頭收集,之后從新添加的日志收集

? ? stat_interval =>"3" #日志收集的間隔時(shí)間

? ? type=>"nginx_access"

? ? sincedb_path => [ "/tmp/nginx_access-01.data" ]

? }

? file {

? ? path =>"/nginx/error.log"

? ? start_position => "beginning" #第一次從頭收集,之后從新添加的日志收集

? ? stat_interval =>"3" #日志收集的間隔時(shí)間

? ? type=>"nginx_error"

? ? sincedb_path => [ "/tmp/nginx_error_11b.data" ]

? ? codec => multiline{

????????pattern => "^\d{4}\/"

????????what => "previous"

????????negate => true

????????auto_flush_interval => 1

? ? }

? }

}

filter {

? if [type] == "nginx_access" {

? ? ? grok {

? ? ? ? match => { "message" => "%{IPORHOST:remote_addr} - %{DATA:remote_user} \[%{HTTPDATE:time_local}\] \"%{WORD:request_method} %{DATA:uri} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent_bytes} \"%{DATA:http_referrer}\" \"%{DATA:http_user_agent}\"" }

? ? ? }

? ? ? # 通過(guò)date插件,把nginx日志中的時(shí)間戳用作logstash的event時(shí)間戳

? ? ? date {

? ? ? ? match => [ "time_local", "dd/MMM/yyyy:HH:mm:ss Z" ]

? ? ? }

? } else if [type] == "nginx_error"{

? ? ? grok {

? ? ? ? match => { "message" => "(?<time_local>%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) \[%{LOGLEVEL:log_level}\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:error_message}(?:, client: (?<clientip>%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOST:server}?)?(?:, request: %{QS:request})?(?:, upstream: (?<upstream>\"%{URI}\"|%{QS}))?(?:, host: %{QS:request_host})?(?:, referrer: \"%{URI:http_referrer}\")?" }

? ? ? }

? ? ? # 通過(guò)date插件,把nginx日志中的時(shí)間戳用作logstash的event時(shí)間戳

? ? ? date {

? ? ? ? match => [ "time_local", "YYYY/MM/dd HH:mm:ss" ]

????????target => "@timestamp"

? ? ? }

? mutate{

? ? remove_field => "time_local"

? }

? }

}

output {

? if [type] == "nginx_access" {

? ? elasticsearch {

? ? ? hosts => ["elasticsearch:9200"]

? ? ? index => "nginx-access-%{+YYYY.MM.dd}"

? ? ? user => "logstash_write"

? ? ? password=>"logstash_write"

? ? }

? }

? if [type] == "nginx_error" {

? ? elasticsearch {

? ? ? hosts => ["elasticsearch:9200"]

? ? ? index => "nginx-error-%{+YYYY.MM.dd}"

? ? ? user => "logstash_write"

? ? ? password=>"logstash_write"

? ? }

? }

}

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容