注意:修改配置後建議重新建立index
1、nginx 日志檔案格式
1
2
3
<code>log_format elk "$http_clientip | $http_x_forwarded_for | $time_local | $request | $status | $body_bytes_sent | "</code>
<code> </code><code>"$request_body | $content_length | $http_referer | $http_user_agent | "</code>
<code> </code><code>"$http_cookie | $remote_addr | $hostname | $upstream_addr | $upstream_response_time | $request_time";</code>
2、logstash nginx 伺服器上的配置檔案 agent.conf
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
<code>input { </code>
<code> </code><code>file { </code>
<code> </code><code>type => "elk_frontend_access" </code>
<code> </code><code>path => ["/data/logs/flight1-access_log"] </code>
<code> </code><code>}</code>
<code>} </code>
<code>filter {</code>
<code>ruby {</code>
<code>init => "@kname = ['http_clientip','http_x_forwarded_for','time_local','request','status','body_bytes_sent','request_body','content_length','http_referer','http_user_agent','http_cookie','remote_addr','hostname','upstream_addr','upstream_response_time','request_time']"</code>
<code>code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get('message').split('|'))])</code>
<code>new_event.remove('@timestamp')</code>
<code>event.append(new_event)"</code>
<code>}</code>
<code>if [request] {</code>
<code>init => "@kname = ['method','uri','verb']"</code>
<code>code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get('request').split(' '))])</code>
<code>event.append(new_event)</code>
<code>"</code>
<code>if [uri] {</code>
<code>init => "@kname = ['url_path','url_args']"</code>
<code>code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get('uri').split('?'))])</code>
<code>kv {</code>
<code>prefix => "url_"</code>
<code>source => "url_args"</code>
<code>field_split => "& "</code>
<code>remove_field => [ "url_args","uri","request" ]</code>
<code>mutate {</code>
<code>convert => ["body_bytes_sent" , "integer", "content_length", "integer", "upstream_response_time", "float","request_time", "float"]</code>
<code>date {</code>
<code>match => [ "time_local", "dd/MMM/yyyy:hh:mm:ss Z" ]</code>
<code>locale => "en"</code>
<code> </code><code>grok {</code>
<code> </code><code>match => { "message" => "%{IP:clientip}" }</code>
<code> </code><code>}</code>
<code> </code><code>geoip </code>
<code>{</code>
<code> </code><code>source => "clientip"</code>
<code>output {</code>
<code> </code><code>redis { </code>
<code> </code><code>host => "10.10.45.200" </code>
<code> </code><code>data_type => "list" </code>
<code> </code><code>key => "elk_frontend_access:redis" </code>
<code> </code><code>port=>"5379" </code>
<code> </code><code>} </code>
3、logstash elk伺服器上的配置檔案server.conf
<code> </code><code>port =>"5379" </code>
<code>output { </code>
<code> </code><code>elasticsearch { </code>
<code> </code><code>hosts => "10.10.45.200:8200" </code>
<code> </code><code>index => "logstash-zjzc-frontend-%{+YYYY.MM.dd}" </code>
<code> </code><code>stdout { </code>
<code> </code><code>codec => rubydebug </code>
注意:如果修改後沒有生效,在kibana上重建索引。
本文轉自1321385590 51CTO部落格,原文連結:http://blog.51cto.com/linux10000/1922391,如需轉載請自行聯系原作者
![(Nginx)03_Nginx原理與優化一、Nginx原理二、master-workers機制三、面試題:[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)