logstash nginx error access 日誌處理

衣舞晨風發表於2017-04-08

原文網址 : https://blog.csdn.net/jiankunking/article/details/69664322

input {
   file {
    type => "nginx-access"  
    path => [ "/home/jiankunking/software/testdata/nginx/access.log" ]
    tags => [ "nginx","access"]
    start_position => beginning
   }
    file {
    type => "nginx-error" 
    path => [ "/home/jiankunking/software/testdata/nginx/error.log" ]
    tags => [ "nginx","error"]
    start_position => beginning
}
}
filter {
 if [type] == "nginx-access" {
        grok{
            match =>    ["message","%{IPORHOST:client_ip}\s{1,}\-\s\-\s\[%{HTTPDATE:time}\]\s{1,}\"(?:%{WORD:verb}\s{1,}%{NOTSPACE:request}(?:\s{1,}HTTP/%{NUMBER:http_version})?|-)\" %{NUMBER:response}\s{1,}(?:%{NUMBER:bytes}|-)\s{1,}%{QS:referrer}\s{1,}%{QS:agent}"]
        }
        date{
            match=>["time","dd/MMM/yyyy:HH:mm:ss Z"]
            target=>"logdate"
        }
        ruby{
            code => "event.set('logdateunix',event.get('logdate').to_i)"
        }
    } else if [type] == "nginx-error" { 
        grok {
        match => [
            "message", "(?<time>\d{4}/\d{2}/\d{2}\s{1,}\d{2}:\d{2}:\d{2})\s{1,}\[%{DATA:err_severity}\]\s{1,}(%{NUMBER:pid:int}#%{NUMBER}:\s{1,}\*%{NUMBER}|\*%{NUMBER}) %{DATA:err_message}(?:,\s{1,}client:\s{1,}(?<client_ip>%{IP}|%{HOSTNAME}))(?:,\s{1,}server:\s{1,}%{IPORHOST:server})(?:, request: %{QS:request})?(?:, host: %{QS:client_ip})?(?:, referrer: \"%{URI:referrer})?",
            "message", "(?<time>\d{4}/\d{2}/\d{2}\s{1,}\d{2}:\d{2}:\d{2})\s{1,}\[%{DATA:err_severity}\]\s{1,}%{GREEDYDATA:err_message}"]
        }
        date{
            match=>["time","yyyy/MM/dd HH:mm:ss"]
            target=>"logdate"
        }
        ruby{
            code => "event.set('logdateunix',event.get('logdate').to_i)"
        }
    }
}
output{
   elasticsearch{
        hosts => ["10.10.10.10:9200"]
        index => "logstash-nginx-%{+YYYY.MM.dd}"
    }
}

nginx access日誌格式：

10.10.10.10 - - [28/Mar/2017:13:21:04 +0800] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36"
10.10.10.10 - - [28/Mar/2017:13:21:04 +0800] "GET /favicon.ico HTTP/1.1" 404 572 "http://10.11.11.11/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36"

拆分效果：

{
    "_index": "logstash-nginx-access-2017.04.07",
    "_type": "logs",
    "_id": "AVtHLpaYYixw4Fpnef2F",
    "_score": 1,
    "_source": {
        "request": "/favicon.ico",
        "agent": ""Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"",
        "verb": "GET",
        "http_version": "1.1",
        "message": "10.11.11.12 - - [28/Mar/2017:13:33:42 +0800] "GET /favicon.ico HTTP/1.1" 404 572 "http://log.c.haier.net/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"",
        "tags": [
            "nginx"
            ,
            "access"
        ],
        "path": "/home/jiankunking/software/testdata/nginx/access.log",
        "referrer": ""http://log.c.haier.net/"",
        "@timestamp": "2017-04-07T06:51:26.135Z",
        "response": "404",
        "bytes": "572",
        "logdate": "2017-03-28T05:33:42.000Z",
        "@version": "1",
        "host": "ubuntu",
        "client_ip": "10.11.11.12",
        "logdateunix": 1490679222,
        "timestamp": "28/Mar/2017:13:33:42 +0800"
    }

}

nginx error日誌格式：

2017/03/28 13:34:21 [error] 17627#0: *8 open() "/usr/local/nginx/html/favicon.ico" failed (2: No such file or directory), client: 10.10.10.10, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "10.11.11.11"
2017/03/28 14:15:10 [notice] 20260#0: signal process started
2017/03/28 15:04:32 [emerg] 21321#0: invalid URL prefix in /usr/local/nginx/conf/nginx.conf:47

拆分效果：

{
    "_index": "logstash-nginx-error-2017.04.07",
    "_type": "logs",
    "_id": "AVtHEFkyYixw4FpnefNL",
    "_score": 1,
    "_source": {
        "path": "/home/jiankunking/software/testdata/nginx/error.log",
        "@timestamp": "2017-04-07T06:18:24.601Z",
        "err_severity": "notice",
        "logdate": "2017-03-28T06:15:10.000Z",
        "@version": "1",
        "host": "ubuntu",
        "time": "2017/03/28 14:15:10",
        "message": "2017/03/28 14:15:10 [notice] 20260#0: signal process started",
        "logdateunix": 1490681710,
        "tags": ["nginx",
        "error"],
        "err_message": "20260#0: signal process started"
    }
},
{
    "_index": "logstash-nginx-error-2017.04.07",
    "_type": "logs",
    "_id": "AVtHEFkyYixw4FpnefNK",
    "_score": 1,
    "_source": {
        "server": "localhost",
        "request": ""GET/favicon.icoHTTP/1.1"",
        "pid": 17627,
        "message": "2017/03/28 13:34:21 [error] 17627#0: *8 open() "/usr/local/nginx/html/favicon.ico" failed (2: No such file or directory), client: 10.11.11.11, server: localhost, request: "GET/favicon.icoHTTP/1.1", host: "10.11.11.12"",
        "tags": ["nginx",
        "error"],
        "err_message": "open() "/usr/local/nginx/html/favicon.ico" failed (2: No such file or directory)",
        "path": "/home/jiankunking/software/testdata/nginx/error.log",
        "@timestamp": "2017-04-07T06:18:24.595Z",
        "err_severity": "error",
        "logdate": "2017-03-28T05:34:21.000Z",
        "@version": "1",
        "host": "ubuntu",
        "client_ip": ["10.11.11.11",
        ""10.11.11.12""],
        "time": "2017/03/28 13:34:21",
        "logdateunix": 1490679261
    }
},
{
    "_index": "logstash-nginx-error-2017.04.07",
    "_type": "logs",
    "_id": "AVtHEFkyYixw4FpnefNM",
    "_score": 1,
    "_source": {
        "path": "/home/jiankunking/software/testdata/nginx/error.log",
        "@timestamp": "2017-04-07T06:18:24.610Z",
        "err_severity": "emerg",
        "logdate": "2017-03-28T07:04:32.000Z",
        "@version": "1",
        "host": "ubuntu",
        "time": "2017/03/28 15:04:32",
        "message": "2017/03/28 15:04:32 [emerg] 21321#0: invalid URL prefix in /usr/local/nginx/conf/nginx.conf:47",
        "logdateunix": 1490684672,
        "tags": ["nginx",
        "error"],
        "err_message": "21321#0: invalid URL prefix in /usr/local/nginx/conf/nginx.conf:47"
    }
}

本文參考：https://github.com/rooprob/logstash-various/blob/master/logstash-nginx-error.conf

作者：jiankunking 出處：http://blog.csdn.net/jiankunking

logstash收集springboot日誌
2021-04-28
Spring Boot
python過濾nginx access日誌存入資料庫中
2019-02-23
PythonNginx資料庫
nginx中access日誌如何做到按時間完美切割
2021-09-09
Nginx
（四）Logstash收集、解析日誌方法
2020-11-22
shell日誌顏色處理
2018-09-27
orbeon form 的日誌處理
2021-12-19
ORBORM
Logstash 配置Java日誌格式的方法
2024-09-11
Java
node錯誤處理與日誌
2019-02-16
DATAGUARD中手工處理日誌GAP
2019-04-12
日誌分析平臺ELK之日誌收集器logstash
2020-10-02
Nginx日誌配置
2019-09-23
Nginx
nginx 清空日誌
2024-11-21
Nginx
ELK 處理 Spring Boot 日誌，不錯！
2023-09-19
Spring Boot
如何在zuul上做日誌處理
2020-02-19
Zuul
搭建node服務(1)：日誌處理
2020-04-21
SpringBoot第十三篇：日誌處理
2019-06-04
Spring Boot
指令碼處理iOS的Crash日誌
2018-12-29
指令碼iOS
利用 ELK 處理 Percona 審計日誌
2023-04-12
處理nginx訪問日誌，篩選時間大於1秒的請求
2018-11-15
Nginx
Kibana+Logstash+Elasticsearch 日誌查詢系統
2020-04-05
Elasticsearch
Nginx日誌輪訓
2018-08-15
Nginx
基於go開發日誌處理包
2018-10-22
Go
node專案錯誤處理與日誌
2018-12-23
SQLServer資料庫日誌太大處理方式
2024-10-15
SQLServer資料庫
mariadb審計日誌通過 logstash匯入 hive
2018-07-27
Hive
比較開源日誌：Logstash、FluentD 和 Fluent Bit
2024-03-17
Elasticsearch+kibana+logstash 搭建日誌收集分析平臺
2022-01-26
Elasticsearch
Nginx編譯時error: assignment makes pointer from integer without a cast處理
2018-12-01
Nginx編譯ErrorAST
logback下日誌輸出前處理操作——以日誌脫敏為例
2024-08-04
『無為則無心』Python日誌 — 67、logging日誌模組處理流程
2022-03-05
Python
error的處理方式
2021-04-12
Error
Nginx日誌格式設定
2019-05-11
Nginx
nginx日誌分析工具goaccess
2024-09-01
NginxGo
Nginx日誌配置詳解
2018-03-08
Nginx
按日期分割nginx日誌
2018-04-24
Nginx
自定義Nginx日誌格式
2021-07-08
Nginx
004 Nginx日誌挖掘accessLog
2020-12-24
Nginx
Spark SQL：實現日誌離線批處理
2018-09-17
SparkSQL
對 Hyperf 做的那些事 3（日誌處理）
2020-01-06

logstash nginx error access 日誌處理

相關文章