為了便于利用 ELK日志平台收集展示 Nginx 的日志,可以将 Nginx 的日志改成 json 的格式
https://www.jianshu.com/p/b6ba259777e7
1.修改nginx配置檔案
[[email protected] ~]# vim /etc/nginx/nginx.conf
##打開nginx配置檔案添加這些資訊
log_format json '{ "time_local": "$time_local", '
'"remote_addr": "$remote_addr", '
'"referer": "$http_referer", '
'"request": "$request", '
'"status": $status, '
'"bytes": $body_bytes_sent, '
'"agent": "$http_user_agent", '
'"x_forwarded": "$http_x_forwarded_for", '
'"up_addr": "$upstream_addr",'
'"up_host": "$upstream_http_host",'
'"up_resp_time": "$upstream_response_time",'
'"request_time": "$request_time"'
' }';
##再将日志引用改成json
access_log /var/log/nginx/access.log json;
2.清空nginx原先日志
[[email protected] ~]# > /var/log/nginx/access.log
3.重新開機nginx,使其配置檔案生效
[[email protected] ~]# systemctl restart nginx
4.使用ab指令做模拟通路
也可以使用浏覽器通路,手動生成通路日志
5.檢視日志
這時候,就能看見日志格式變成了json格式
[[email protected] ~]# tailf /var/log/nginx/access.log
{ "time_local": "22/Jun/2020:08:53:21 +0800", "remote_addr": "172.16.210.53", "referer": "-", "request": "GET / HTTP/1.0", "status": 200, "bytes": 4833, "agent": "ApacheBench/2.3", "x_forwarded": "-", "up_addr": "-","up_host": "-","up_resp_time": "-","request_time": "0.000" }
6.使用es-head檢視是否建立索引
filebeat會收集資料,然後導出至elasticsearch
7.修改filebeat配置檔案
[[email protected] ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
##添加這兩行資訊,使其能解析json格式的日志
json.keys_under_root: true
json.overwrite_keys: true
output.elasticsearch:
hosts: ["172.16.210.53:9200"]
8.重新開機filebeat
[[email protected] ~]# systemctl restart filebeat
9.回到kibana的web界面建立索引
點選management
點選Create index pattern
輸入filebeat導出到elaticsearch的索引名字,再點選Next stup
過濾選項名選擇@timestamp再點選Create index pattern
再點選Discover就能檢視到建立的索引的資料了
再點選小三角就能看到全部都是一一對應的json格式資料了
然後可以通過選擇對應的字段名,來檢視指定想要知道的資訊
比如想檢視通路的ip都有誰,見選擇remote_addr再點選add
隻過濾顯示通路的ip
再想檢視這些ip通路的狀态碼,就添加status
以此類推,想要顯示什麼就添加什麼
如果不想檢視某個ip的通路資訊,也可以排除某個ip