ELK採集nginx錯誤日誌

原創

2020-03-11 23:43

ELK採集nginx錯誤日誌

一、filebeat採集配置

1、在nginx服務器上安裝filebeat

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.3.1-x86_64.rpm
yum localinstall filebeat-6.3.1-x86_64.rpm

2、配置filebeat採集文件

vim /etc/filebeat/filebeat.yml

logging.level: info
logging.to_files: true
logging.files:
  path: /data/logs/filebeat
  name: filebeat.log
  keepfiles: 7
  permissions: 0644

filebeat.inputs:
- type: log
  enabled: true
  exclude_lines: ['\\x']
  fields:
    log-type: nginx-access-logs
  paths:
    - /data/logs_nginx/*.json.log

- type: log
  enabled: true
  fields:
    log-type: nginx-error-logs
  paths:
    - /data/logs_nginx/error.log

output.kafka:
  # initial brokers for reading cluster metadata
  hosts: ["kafka1:9092", "kafka2:9092", "kafka3:9092"]

  # message topic selection + partitioning
  topic: '%{[fields][log-type]}'
  partition.hash:
    reachable_only: false

  required_acks: 1
  compression: snappy
  max_message_bytes: 1000000

4、啓動filebeat

 systemctl start filebeat

二、配置logstash過濾規則並存儲到elasticsearch

1、添加nginx錯誤日誌grok表達式

cd /usr/share/logstash/patterns/

vim nginx

NGINX_ERROR_LOG (?<timestamp>%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}(?:, client: (?<clientip>%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOST:server}?)(?:, request: %{QS:request})?(?:, upstream: (?<upstream>\"%{URI}\"|%{QS}))?(?:, host: %{QS:request_host})?(?:, referrer: \"%{URI:referrer}\")?

2、配置logstash過濾nginx日誌規則

cd /etc/logstash/conf.d
vim nginx-error.conf

input{
    kafka{
        bootstrap_servers => ["kafka1:9092,kafka2:9092,kafka3:9092"]
        client_id => "nginx-error-logs"
        group_id => "logstash"
        auto_offset_reset => "latest"
        consumer_threads => 10
        decorate_events => true 
        topics => ["nginx-error-logs"] 
        type => "nginx-error-logs"
        codec => json {charset => "UTF-8"} 
    }
}


filter {
  if [fields][log-type] == "nginx-error-logs" {
   grok {
       match => [ "message" , "%{NGINX_ERROR_LOG}"]
    }
    geoip {
        database =>"/usr/share/logstash/GeoLite2-City/GeoLite2-City.mmdb"
        source => "clientip"
    }
    date {
      timezone => "Asia/Shanghai"
      match => ["timestamp","yyyy/MM/dd HH:mm:ss"]
    }

  }
}



output {

  if [fields][log-type] == "nginx-error-logs" {
    elasticsearch {
      hosts => ["http://es1:9200","http://es2:9200","http://es3:9200"]
      index => "nginx-error-%{+YYYY.MM.dd}"
    }
  }

}

3、重啓logstash

systemctl restart logstash

發表評論

所有評論

還沒有人評論，想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.

ELK採集nginx錯誤日誌

ELK採集nginx錯誤日誌

一、filebeat採集配置

1、在nginx服務器上安裝filebeat

2、配置filebeat採集文件

4、啓動filebeat

二、配置logstash過濾規則並存儲到elasticsearch

1、添加nginx錯誤日誌grok表達式

2、配置logstash過濾nginx日誌規則

3、重啓logstash

10分鐘搞定Mysql主從部署配置

如何使用 JS 判斷用戶是否處於活躍狀態

「Pygors跨平臺GUI」2：安裝MinGW-w64、MSYS2還是WSL2

[轉帖]

python列出centos7內存使用前50的進程信息

「Pygors跨平臺GUI」1：Pygors跨平臺GUI應用研究

一鍵自動化博客發佈工具,用過的人都說好(掘金篇)

lightdb數據庫超時相關控制參數

lightdb秒級增加列和刪除列（not null帶默認值）

Java ThreadPoolShutdown

redis添加布隆過濾器插件

ELK + Grafana分析nginx日誌

redis事務是否支持原子性

Gradle自定義插件編寫

kafka-manager安裝

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結