ELK+syslog+nginx访问日志收集+分词处理
一、nginx访问日志配置:
1、日志格式配置:
log_format json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":$body_bytes_sent,'
'"xff":"$http_x_forwarded_for",'
'"upstreamhost":"$upstream_addr",'
'"status":"$status",'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"http_host":"$host",'
'"url":"$uri"}';
2、访问日志配置:
access_log syslog:server=xx.xx.xx.xx:5140 json;
二、logstash配置
input {
syslog{
port => "5140"
}
}
filter {
json {
source =>"message"
remove_field => ["message"]
}
}
output {
elasticsearch { hosts => ['xx.xx.xx.xx:9200','xx.xx.xx.xx:9200']
index => 'nginx_rfd-%{+YYYY.MM.dd.HH}'
template => "/usr/local/logstash/nginx.json"
template_name => "nginx_*"
template_overwrite => true
}
}
注意index名称要包含到template_name里
三、自定义mappings
cat /usr/local/logstash/nginx.json
{
"template": "nginx_*",
"order":1,
"settings": { "index.refresh_interval" : "60s" },
"mappings": {
"_default_": {
"_all" : { "enabled" : false },
"properties": {
"@timestamp" : { "type" : "date" },
"@version" : { "type" : "integer", "index" : "not_analyzed" },
"url": {
"type": "string",
"index": "not_analyzed"
},
"host": {
"type": "ip",
"index": "not_analyzed"
},
"clientip": {
"type": "ip",
"index": "not_analyzed"
},
"size": {
"type": "integer"
},
"xff": {
"type": "string",
"index": "not_analyzed"
},
"upstreamhost": {
"type": "string",
"index": "not_analyzed"
},
"http_host": {
"type": "string",
"index": "not_analyzed"
},
"status": {
"type": "integer"
},
"responseTime": {
"type": "string",
"index": "not_analyzed"
},
"upstreamtime": {
"type": "string",
"index": "not_analyzed"
}
}
}
}
}
四、生成统计图形
五、参考文档
https://elasticsearch.cn/article/154
http://blog.csdn.net/choelea/article/details/53320140
http://www.cnblogs.com/hanyifeng/p/5860731.html