配置好ELK后,使用logstash读取nginx日志,但是logstash没有默认的nginx日志格式解析插件,需要自己使用正则匹配。
这里有一个简便的配置方案:
1
2
3
4
5
6
7
8
9
10
11
12
13
| log_format json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"agent":"$http_user_agent",'
'"status":"$status"}';
|
2.logstash配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| input {
file {
path => "/var/log/nginx/access.log"
codec => json
}
}
filter {
mutate {
split => [ "upstreamtime", "," ]
}
mutate {
convert => [ "upstreamtime", "float" ]
}
}
|
