Filebeat读取Nginx日志

Filebeat 7.11 读取Nginx日志时,默认配置会读取失败,故作备忘

  • 修改Nginx日志生成格式

        log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                                '$status $body_bytes_sent "$http_referer" '
                                '"$http_user_agent" "$http_x_forwarded_for" '
                                '"$http_x_real_ip" "$server_addr" "$host" '
                                '$request_time $upstream_response_time "$upstream_addr" '
                                '"$time_iso8601"';
  • 修改Filebeat的Nginx规则

    ....filebeat/module/nginx/access/ingest/default.json
    //原格式
    - grok:
        field: message
        patterns:
        - (%{NGINX_HOST} )?"?(?:%{NGINX_ADDRESS_LIST:nginx.access.remote_ip_list}|%{NOTSPACE:source.address})
          - (-|%{DATA:user.name}) \[%{HTTPDATE:nginx.access.time}\] "%{DATA:nginx.access.info}"
          %{NUMBER:http.response.status_code:long} %{NUMBER:http.response.body.bytes:long}
          "(-|%{DATA:http.request.referrer})" "(-|%{DATA:user_agent.original})"
    //修改后的格式
    - grok:
        field: message
        patterns:
          - "\"?%{IP_LIST:nginx.access.remote_ip_list} - %{DATA:nginx.access.user_name} \\[%{HTTPDATE:nginx.access.time}\\] \"%{GREEDYDATA:nginx.access.info}\" %{NUMBER:nginx.access.response_code} %{NUMBER:nginx.access.body_sent.bytes} \"%{DATA:nginx.access.referrer}\" \"%{DATA:nginx.access.agent}\" \"%{DATA:nginx.access.xff}\" \"%{DATA:nginx.access.x_real_ip}\" \"%{DATA:nginx.access.server_addr}\" \"%{DATA:nginx.access.host}\" %{DATA:nginx.access.request_time} %{DATA:nginx.access.upstream_response_time} \"%{DATA:nginx.access.upstream_addr}\" \"%{DATA:nginx.access.time_iso8601}\""

  • 修改 fields.yml

    //找到对应的Nginx节点
    - name: agent
    .......
    //在上面节点的后面增加如下(空格等格式自己把握)
               - name: xff
                 type: group
                 description: >
                   http_x_forwarded_for.
               - name: x_real_ip
                 type: group
                 description: >
                   http_x_real_ip.
               - name: server_addr
                 type: group
                 description: >
                   server_addr 服务器地址.
               - name: host
                 type: group
                 description: >
                   host http_host http主机头.
               - name: request_time
                 type: group
                 description: >
                   request_time 请求时间.
               - name: upstream_response_time
                 type: group
                 description: >
                   upstream_response_time 后端响应时间.
               - name: upstream_addr
                 type: group
                 description: >
                   upstream_addr 后端地址.
               - name: time_iso8601
                 type: group
                 description: >
                   time_iso8601 iso8601格式时间.
  • 重启filebeat

延伸

  • 如果Nginx日志是Json格式

        log_format main '{"@timestamp":"$time_iso8601",'
                        '"host":"$server_addr",'
                        ' "clientip" : "$remote_addr",'
                        ' "size" : "$body_bytes_sent" ,'
                        '"respnsetime":"$request_time",'
                        '"upstremtime":"$upstream_response_time",'
                        '"upstremhost":"$upstream_addr",'
                        '"httphost":"$host",'
                        '"referer":"$http_referer",'
                        '"xff":"$http_x_forwarded_for",'
                        '"agent":"$http_user_agent",'
                        '"clientip":"$remote_addr",'
                        '"request":"$request",'
                        '"uri":"$uri",'
                        '"status":"$status"}';
  • 同样需要修改增加fields.yml

0 条评论