logstash nginx error access 日誌處理

衣舞晨風發表於2017-04-08

input {
   file {
    type => "nginx-access"  
    path => [ "/home/jiankunking/software/testdata/nginx/access.log" ]
    tags => [ "nginx","access"]
    start_position => beginning
   }
    file {
    type => "nginx-error" 
    path => [ "/home/jiankunking/software/testdata/nginx/error.log" ]
    tags => [ "nginx","error"]
    start_position => beginning
}
}
filter {
 if [type] == "nginx-access" {
        grok{
            match =>    ["message","%{IPORHOST:client_ip}\s{1,}\-\s\-\s\[%{HTTPDATE:time}\]\s{1,}\"(?:%{WORD:verb}\s{1,}%{NOTSPACE:request}(?:\s{1,}HTTP/%{NUMBER:http_version})?|-)\" %{NUMBER:response}\s{1,}(?:%{NUMBER:bytes}|-)\s{1,}%{QS:referrer}\s{1,}%{QS:agent}"]
        }
        date{
            match=>["time","dd/MMM/yyyy:HH:mm:ss Z"]
            target=>"logdate"
        }
        ruby{
            code => "event.set('logdateunix',event.get('logdate').to_i)"
        }
    } else if [type] == "nginx-error" { 
        grok {
        match => [
            "message", "(?<time>\d{4}/\d{2}/\d{2}\s{1,}\d{2}:\d{2}:\d{2})\s{1,}\[%{DATA:err_severity}\]\s{1,}(%{NUMBER:pid:int}#%{NUMBER}:\s{1,}\*%{NUMBER}|\*%{NUMBER}) %{DATA:err_message}(?:,\s{1,}client:\s{1,}(?<client_ip>%{IP}|%{HOSTNAME}))(?:,\s{1,}server:\s{1,}%{IPORHOST:server})(?:, request: %{QS:request})?(?:, host: %{QS:client_ip})?(?:, referrer: \"%{URI:referrer})?",
            "message", "(?<time>\d{4}/\d{2}/\d{2}\s{1,}\d{2}:\d{2}:\d{2})\s{1,}\[%{DATA:err_severity}\]\s{1,}%{GREEDYDATA:err_message}"]
        }
        date{
            match=>["time","yyyy/MM/dd HH:mm:ss"]
            target=>"logdate"
        }
        ruby{
            code => "event.set('logdateunix',event.get('logdate').to_i)"
        }
    }
}
output{
   elasticsearch{
        hosts => ["10.10.10.10:9200"]
        index => "logstash-nginx-%{+YYYY.MM.dd}"
    }
}

nginx access日誌格式：

10.10.10.10 - - [28/Mar/2017:13:21:04 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36"
10.10.10.10 - - [28/Mar/2017:13:21:04 +0800] "GET /favicon.ico HTTP/1.1" 404 572 "http://10.11.11.11/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36"

拆分效果：

{
    "_index": "logstash-nginx-access-2017.04.07",
    "_type": "logs",
    "_id": "AVtHLpaYYixw4Fpnef2F",
    "_score": 1,
    "_source": {
        "request": "/favicon.ico",
        "agent": ""Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"",
        "verb": "GET",
        "http_version": "1.1",
        "message": "10.11.11.12 - - [28/Mar/2017:13:33:42 +0800] "GET /favicon.ico HTTP/1.1" 404 572 "http://log.c.haier.net/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"",
        "tags": [
            "nginx"
            ,
            "access"
        ],
        "path": "/home/jiankunking/software/testdata/nginx/access.log",
        "referrer": ""http://log.c.haier.net/"",
        "@timestamp": "2017-04-07T06:51:26.135Z",
        "response": "404",
        "bytes": "572",
        "logdate": "2017-03-28T05:33:42.000Z",
        "@version": "1",
        "host": "ubuntu",
        "client_ip": "10.11.11.12",
        "logdateunix": 1490679222,
        "timestamp": "28/Mar/2017:13:33:42 +0800"
    }

}

nginx error日誌格式：

2017/03/28 13:34:21 [error] 17627#0: *8 open() "/usr/local/nginx/html/favicon.ico" failed (2: No such file or directory), client: 10.10.10.10, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "10.11.11.11"
2017/03/28 14:15:10 [notice] 20260#0: signal process started
2017/03/28 15:04:32 [emerg] 21321#0: invalid URL prefix in /usr/local/nginx/conf/nginx.conf:47

拆分效果：

{
    "_index": "logstash-nginx-error-2017.04.07",
    "_type": "logs",
    "_id": "AVtHEFkyYixw4FpnefNL",
    "_score": 1,
    "_source": {
        "path": "/home/jiankunking/software/testdata/nginx/error.log",
        "@timestamp": "2017-04-07T06:18:24.601Z",
        "err_severity": "notice",
        "logdate": "2017-03-28T06:15:10.000Z",
        "@version": "1",
        "host": "ubuntu",
        "time": "2017/03/28 14:15:10",
        "message": "2017/03/28 14:15:10 [notice] 20260#0: signal process started",
        "logdateunix": 1490681710,
        "tags": ["nginx",
        "error"],
        "err_message": "20260#0: signal process started"
    }
},
{
    "_index": "logstash-nginx-error-2017.04.07",
    "_type": "logs",
    "_id": "AVtHEFkyYixw4FpnefNK",
    "_score": 1,
    "_source": {
        "server": "localhost",
        "request": ""GET/favicon.icoHTTP/1.1"",
        "pid": 17627,
        "message": "2017/03/28 13:34:21 [error] 17627#0: *8 open() "/usr/local/nginx/html/favicon.ico" failed (2: No such file or directory), client: 10.11.11.11, server: localhost, request: "GET/favicon.icoHTTP/1.1", host: "10.11.11.12"",
        "tags": ["nginx",
        "error"],
        "err_message": "open() "/usr/local/nginx/html/favicon.ico" failed (2: No such file or directory)",
        "path": "/home/jiankunking/software/testdata/nginx/error.log",
        "@timestamp": "2017-04-07T06:18:24.595Z",
        "err_severity": "error",
        "logdate": "2017-03-28T05:34:21.000Z",
        "@version": "1",
        "host": "ubuntu",
        "client_ip": ["10.11.11.11",
        ""10.11.11.12""],
        "time": "2017/03/28 13:34:21",
        "logdateunix": 1490679261
    }
},
{
    "_index": "logstash-nginx-error-2017.04.07",
    "_type": "logs",
    "_id": "AVtHEFkyYixw4FpnefNM",
    "_score": 1,
    "_source": {
        "path": "/home/jiankunking/software/testdata/nginx/error.log",
        "@timestamp": "2017-04-07T06:18:24.610Z",
        "err_severity": "emerg",
        "logdate": "2017-03-28T07:04:32.000Z",
        "@version": "1",
        "host": "ubuntu",
        "time": "2017/03/28 15:04:32",
        "message": "2017/03/28 15:04:32 [emerg] 21321#0: invalid URL prefix in /usr/local/nginx/conf/nginx.conf:47",
        "logdateunix": 1490684672,
        "tags": ["nginx",
        "error"],
        "err_message": "21321#0: invalid URL prefix in /usr/local/nginx/conf/nginx.conf:47"
    }
}

本文參考：https://github.com/rooprob/logstash-various/blob/master/logstash-nginx-error.conf

作者：jiankunking 出處：http://blog.csdn.net/jiankunking

logstash kafka output 日誌處理
2017-04-12
Kafka
nginx日誌處理
2017-06-19
Nginx
logstash nginx access
2018-01-05
Nginx
AWStats分析nginx日誌（access.log）
2015-02-04
Nginx
Nginx access.log日誌分析shell命令
2017-05-26
Nginx
Logstash日誌蒐集
2015-12-06
記處理線上記錄垃圾日誌 The view 'Error' or its master was not found
2015-07-10
ViewErrorAST
PHP日誌處理類
2016-05-26
PHP
python過濾nginx access日誌存入資料庫中
2019-02-23
PythonNginx資料庫
nginx中access日誌如何做到按時間完美切割
2021-09-09
Nginx
nginx error_log 錯誤日誌配置說明
2016-07-02
NginxError
logstash收集springboot日誌
2021-04-28
Spring Boot
（四）Logstash收集、解析日誌方法
2020-11-22
nginx伺服器access_log日誌分析及配置詳解
2013-01-04
Nginx伺服器
orbeon form 的日誌處理
2021-12-19
ORBORM
shell日誌顏色處理
2018-09-27
DATAGUARD中手工處理日誌GAP
2019-04-12
node錯誤處理與日誌
2019-02-16
oracle alert日誌亂碼處理
2012-03-30
Oracle
strom打造日誌處理系統
2013-04-12
Db2 日誌處理二
2007-10-07
DB2
Nginx日誌配置
2019-09-23
Nginx
nginx切割日誌
2017-12-26
Nginx
nginx日誌切割
2012-07-24
Nginx
apache日誌匯入oracle(日誌經過python處理)
2012-11-19
ApacheOraclePython
Nginx使用日誌輸出上游伺服器和自身的處理時間
2018-01-30
Nginx伺服器
logstash的安裝使用、收集json日誌、csv日誌總結
2017-11-22
JSON
日誌分析平臺ELK之日誌收集器logstash
2020-10-02
logstash監控海量日誌並報警
2017-11-12
SQL Server日誌檔案總結及日誌滿的處理
2009-06-30
SQLServer
如何在zuul上做日誌處理
2020-02-19
Zuul
搭建node服務(1)：日誌處理
2020-04-21
指令碼處理iOS的Crash日誌
2018-12-29
指令碼iOS
處理Apache日誌的Bash指令碼
2012-01-06
Apache指令碼
丟失重做日誌怎麼處理
2008-01-27
處理nginx訪問日誌，篩選時間大於1秒的請求
2018-11-15
Nginx
Nginx日誌輪訓
2018-08-15
Nginx
nginx日誌切割配置
2016-09-05
Nginx

logstash nginx error access 日誌處理

相關文章