nginx grok 正則錯誤的輸出情況
阿新 • • 發佈:2019-02-15
nginx 配置: http { include mime.types; default_type application/octet-stream; log_format main '$http_host $server_addr $remote_addr [$time_local] "$request" ' '$request_body $status $body_bytes_sent "$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time'; #send the log to syslog and file. access_log /var/log/nginx/access.log main; # pre 1.5.x error_log /var/log/nginx/error.log; nginx 伺服器rsyslog配置: $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) module(load="imfile" PollingInterval="5") $ModLoad imtcp $InputTCPServerRun 514 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron uucp,news.crit /var/log/spooler local7.* /var/log/boot.log input(type="imfile" File="/var/log/nginx/access.log" Tag="uat-frontend01-access" Severity="info" Facility="local5") input(type="imfile" File="/var/log/nginx/error.log" Tag="uat-frontend01-error" Severity="info" Facility="local5") local5.* @@xx:514 logstash 配置; zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat loguat.cof input { file { type => "uat_nginx_access" path => ["/rsyslog/data/nginx/uat/nginx_access0*_log.*"] } } filter { grok { match => { "message" => "%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>\S+)\" \"(?<http_x_forwarded_for>\S+)\"" } } } output { elasticsearch { hosts => "192.168.32.80:9200" index => "logstash-uat-test" } stdout { codec => rubydebug } } logstash 輸出; zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f loguat.cof Settings: Default pipeline workers: 1 Pipeline main started { "message" => " uatest.winfae.com 121.40.189.90 121.40.205.143 [29/Aug/2016:09:42:25 +0800] \"GET /wechat/css/wechat.2a00a782.css HTTP/1.1\" - 304 0 \"https://uatest.winfae.com/wechat/account.html\" \"Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN\" 0.000 -", "@version" => "1", "@timestamp" => "2016-08-29T01:45:09.748Z", "path" => "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29", "host" => "0.0.0.0", "type" => "uat_nginx_access", "tags" => [ [0] "_grokparsefailure" ] } elasticsearch 輸出; { "_index": "logstash-uat-test", "_type": "uat_nginx_access", "_id": "AVbT-JPMEY-onx06xYf_", "_version": 1, "_score": 1, "_source": { "message": " uatest.winfae.com 121.40.189.90 121.40.205.143 [29/Aug/2016:09:42:25 +0800] "GET /wechat/js/libs/dialog-min.88247f5e.js HTTP/1.1" - 304 0 "https://uatest.winfae.com/wechat/account.html" "Mozilla/5.0 (Linux; Android 5.1.1; vivo X6S A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile MQQBrowser/6.2 TBS/036558 Safari/537.36 MicroMessenger/6.3.25.861 NetType/WIFI Language/zh_CN" 0.000 -", "@version": "1", "@timestamp": "2016-08-29T01:45:10.220Z", "path": "/rsyslog/data/nginx/uat/nginx_access01_log.2016-08-29", "host": "0.0.0.0", "type": "uat_nginx_access", "tags": [ "_grokparsefailure" ] } <img src="https://img-blog.csdn.net/20160829100135123?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center" alt="" />