ELK 安裝啓動等請參考 https://blog.csdn.net/Gekkoou/article/details/80979374
執行命令 logstash -f logstash-nginx.conf
不囉嗦, 直接貼出最重要的文件 logstash-nginx.conf 代碼
input {
file {
type => "nginx_access"
path => ["G:/log/nginx_access.log"]
start_position => beginning
ignore_older => 0
}
file {
type => "nginx_error"
path => ["G:/log/nginx_error.log"]
start_position => beginning
ignore_older => 0
}
}
filter {
if [type] == "nginx_access"{
grok {
match => { "message" => "%{COMBINEDAPACHELOG} %{QS:x_forwarded_for}"}
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
}
useragent {
source => "agent"
target => "useragent"
}
} else if [type] == "nginx_error"{
grok {
match => { "message" => "\[(?<timestamp>%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME})\] \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: (?:, client: (?<clientip>%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOST:server}?)(?:, request: %{QS:request})?(?:, upstream: (?<upstream>\"%{URI}\"|%{QS}))?(?:, host: %{QS:request_host})?(?:, referrer: \"%{URI:referrer}\")?" }
}
}
}
output {
if [type] == "nginx_access"{
elasticsearch {
hosts => [ "localhost:9200" ]
index => "nginx-access-log-%{+YYYY.MM}"
}
} else if [type] == "nginx_error"{
elasticsearch {
hosts => [ "localhost:9200" ]
index => "nginx-error-log"
}
}
}