nginx访问日志 logstash 配置文件实例1_程序开发

nginx访问日志 logstash 配置文件实例1

admin

2023-03-19 05:41:28

0次

日志格式：
log_format usgateway '$http_clientip\t$http_ServiceName\t$http_uid\t$http_sid\t[$time_local]'
                                     '\t$request\t$status\t$body_bytes_sent\t$connection_requests'
                                     '\t$remote_addr\t$http_referer\t$http_user_agent'
                                     '\t$request_body\t$request_time\t$msec';
日志实例：
10.10.45.152---[23/Jun/2017:17:37:42 +0800]POST /sg HTTP/1.14055765910.10.130.100-Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0){\x22mbrNetName\x22:\x22\xE9\x87\x91\xE6\x98\x9F\x22,\x22nameCn\x22:\x22\xE8\x8A\x92\xE6\x9E\x9C\xE7\xBD\x91\x22,\x22gender\x22:\x2211\x22,\x22birthday\x22:\x222010-10-01\x22,\x22mbrId\x22:\x2235954629\x22,\x22emailAddr\x22:\x22334740263@qq.com\x22,\x22mobileNo\x22:\x2215902074059\x22}0.0011498210662.427
logstash配置文件：
input {  
        file {  
                type => "uSG_gateway_access"  
                path => ["/usr/local/elk/elklog/nginxlog/log0/uSG_gateway_elk.log"]  
        }
} 
filter {
ruby {
init => "@kname = ['http_clientip','http_ServiceName','http_uid','http_sid','time_local','request','status','body_bytes_sent','connection_requests','remote_addr','http_referer','http_user_agent','request_body','request_time','msec']"
code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get('message').split(''))])
new_event.remove('@timestamp')
event.append(new_event)"
}
if [request] {
ruby {
init => "@kname = ['method','uri','verb']"
code => "new_event = LogStash::Event.new(Hash[@kname.zip(event.get('request').split(' '))])
new_event.remove('@timestamp')
event.append(new_event)
"
}
}
mutate {
convert => ["body_bytes_sent" , "integer", "content_length", "integer", "upstream_response_time", "float","request_time", "float"]
}
        grok {
match => [ "message", "%{IPORHOST:clientip}%{USER}%{USER}%{USER}\[%{HTTPDATE:timestamp}\]"]
}
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
locale => "en"
}
        geoip {
source => "clientip"
    }
useragent {
    source => "http_user_agent"
    target => "useragent"
  }
}
output { 
elasticsearch {
hosts => "10.10.45.200:8201"
        index => "logstash-gateway-frontend-%{+YYYY.MM.dd}"
}
}
注意：日志分隔符为table键。

上一篇：nginx访问日志 logstash 配置文件实例2

下一篇：expect一键实现集群ssh免密登入

nginx访问日志 logstash 配置文件实例1

相关内容

热门资讯