欢迎来到尧图网

客户服务 关于我们

您的位置:首页 > 新闻 > 会展 > 2.3做logstash实验

2.3做logstash实验

2025/2/28 20:09:08 来源:https://blog.csdn.net/AustinCien/article/details/145860051  浏览:    关键词:2.3做logstash实验

收集apache日志输出到es

在真实服务器安装logstash,httpd

systemctl start httpd

echo 666 > /var/www/html/index.html

cat /usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns/httpd #系统内置变量

cd /usr/local/logstash/config/

cp logstash-sample.conf httpd-access.conf

vim httpd-access.conf

input {stdin {}
}
filter {grok  {match => {"message" => "%{HTTPD_COMBINEDLOG}"}remove_field => ["message","auth","ident"]}date {match => ["timestamp","dd/MM/yyy:HH:mm:ss Z"]}
}output {stdout {}
}

cat /var/log/httpd/access_log

127.0.0.1 - - [21/Jun/2023:14:41:22 +0800] "GET / HTTP/1.1" 403 4897 "-" "curl/7.29.0"

logstash -f httpd-access.conf

127.0.0.1 - - [21/Jun/2023:14:41:22 +0800] "GET / HTTP/1.1" 403 4897 "-" "curl/7.29.0"

可以看出apache的日志输出带有\,咱可以改进一下:

cd /usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns/

grep QS -R .

grep QUOTEDSTRING -R .

此时可以看出定义太复杂,咱自定义一个变量ALL,取代QS,双引号引起来。

vim /usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns/httpd

ALL .* #空行新增

HTTPD_COMBINEDLOG %{HTTPD_COMMONLOG} "%{ALL:referrer}" "%{ALL:agent}"

此时filter的相关配置已经完善!

接下来配置input引用apache日志,output输出到es。

vim /usr/local/logstash/config/httpd-access.conf

input {file {path => ["/var/log/*.log","/var/log/message*"]type => "httpd_access"start_position => "beginning"}
}
filter {grok  {match => {"message" => "%{HTTPD_COMBINEDLOG}"}remove_field => ["message","auth","ident"]}date {match => ["timestamp","dd/MM/yyy:HH:mm:ss Z"]}
}output {elasticsearch {hosts => ["http://192.168.148.132:9200"]index => "%{type}-%{+YYYY.MM.dd}"}
}

logstash -f /usr/local/logstash/config/httpd-access.conf

127.0.0.1 - - [21/Jun/2023:14:41:22 +0800] "GET / HTTP/1.1" 403 4897 "-" "curl/7.29.0"

安装插件ElasticSearch Head可视化工具

(略)

测试:浏览器访问192.168.148.132:9100

http://localhost:9200/ > http://192.168.148.132:9200/ > 连接

收集nginx日志输出到es

方案一

nginx:

修改 nginx server 的配置文件

    log_format  json '{''"client":"$remote_addr",''"time":"$time_local",''"verb":"$request_method",''"url":"$request_uri",''"status":"$status",''"size":$body_bytes_sent,' '"referer": "$http_referer",''"agent": "$http_user_agent"''}';access_log  /var/log/nginx/access_json.log  json;

logstash配置文件:

input {file {path => "/var/log/nginx/access_json.log"codec => "json"                           #输入预定义好的 JSON 数据, 可以省略掉 filter/grok 配置, 从而减轻logstash的负载start_position => "beginning"}
}
output {elasticsearch {hosts => ["192.168.10.11:9200"]index => "nginx-log-%{+YYYY.MM.dd}"}
}

方案二

Logstash 对nginx 标准日志的 grok 正则定义是:

MAINNGINXLOG %{COMBINEDAPACHELOG} %{QS:x_forwarded_for}

logstash:直接使用访问日志

input {file {path => "/var/log/nginx/access.log"start_position => beginning}
}
filter {grok {match => { "message" => "%{COMBINEDAPACHELOG} %{QS:x_forwarded_for}"}    }    date {match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]    }    geoip {source => "clientip"    }
}
output {elasticsearch {     hosts => "192.168.11.10:9200" }
}

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com

相关资讯

热文排行

最新新闻

推荐新闻

热搜词