logstash收集nginx訪問日誌
阿新 • • 發佈:2021-11-19
本文大部分參考及引用:https://www.cnblogs.com/Dev0ps/p/9313418.html
1.安裝nginx
參考:https://www.cnblogs.com/fuanyu/p/14601345.html
目前修改nginx.conf
官方文件:http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format #修改配置檔案的日誌格式: vi /usr/local/nginx/conf/nginx.conf #在http模組中新增 log_format json '{"@timestamp":"$time_iso8601",' '"@version":"1",' '"client":"$remote_addr",' '"url":"$uri",' '"status":"$status",' '"domain":"$host",' '"host":"$server_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_time,' '"referer": "$http_referer",' '"ua": "$http_user_agent"' '}'; #在server模組中新增 access_log /usr/local/nginx/logs/access.log json;
儲存後,啟動
/usr/local/nginx/sbin/nginx
完整的nginx.conf檔案如
user root; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log otice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; # include ip.black; default_type application/octet-stream; log_format access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_time,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"url":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"status":"$status"}'; access_log/usr/local/nginx/logs/access.log access_json; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #定義一個名為allips的limit_req_zone用來儲存session,大小是10M記憶體, #以$binary_remote_addr 為key,限制平均每秒的請求為5個, #1M能儲存16000個狀態,rete的值必須為整數, #如果限制兩秒鐘一個請求,可以設定成30r/m limit_req_zone $binary_remote_addr zone=allips:10m rate=5r/s; #gzip on; upstream tomcat_server{ server 172.16.38.225:18001 weight=1; server 172.16.38.226:18001 weight=1; } upstream socket_server{ server 172.16.38.225:8099 weight=1; server 172.16.38.226:8099 weight=1; } server { listen 80; server_name localhost; location / { # root /home/oracle/dev_tools/server/apache-tomcat-6.0.44/webapps/; # HTTP代理模組 proxy,主要是用來轉發請求到其他伺服器 # 如果後端伺服器返回502,504,執行超時等錯誤,自動將請求轉發到upstream負載均衡池中的另一臺伺服器,實現failover。 # WebScoket Support proxy_headers_hash_max_size 51200; proxy_headers_hash_bucket_size 6400; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_next_upstream http_502 http_504 error timeout invalid_header; # 變數$host等於客戶端請求頭中的Host值。 proxy_set_header Host $host; #後端的web伺服器可以通過X-Forwarded-For獲取真實的IP地址,$remote_addr客戶端的ip地址 proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://socket_server; #限制每ip每秒不超過20個請求,漏桶數burst為5 #brust的意思就是,如果第1秒、2,3,4秒請求為19個, #第5秒的請求為25個是被允許的。 #但是如果你第1秒就25個請求,第2秒超過20的請求返回503錯誤。 #nodelay,如果不設定該選項,嚴格使用平均速率限制請求數, #第1秒25個請求時,5個請求放到第2秒執行, #設定nodelay,25個請求將在第1秒執行。 limit_req zone=allips burst=5 nodelay; } } }
用瀏覽器請求: http://172.16.38.225
會看到access.log的輸入日記
2.編寫logstash
vi /usr/local/app/logstash-6.2.4/config/logstash-nginx.conf
input { file { path => "/usr/local/nginx/logs/access.log" codec => json start_position => "beginning" type => "nginx-log" } } output { if [type] == "nginx-log"{ elasticsearch { hosts => ["172.16.38.225:9200"] index => "nginx-log-%{+YYYY.MM.dd}" } } }
然後再啟動
./logstash -f ../config/logstash-nginx.conf &
3|0kibana新增nginx日誌
首先在es外掛中我們能看到nginx-log的索引
設定kibana