將nginx日志通過filebeat收集后傳入logstash，經(jīng)過logstash處理后寫入elasticsearch。filebeat只負(fù)責(zé)收集工作，logstash完成日志的格式化，數(shù)據(jù)的替換，拆分 ，以及將日志寫入elasticsearch后的索引的創(chuàng)建。

1、配置nginx日志格式

log_format main    '$remote_addr $http_x_forwarded_for [$time_local] $server_name $request '             '$status $body_bytes_sent $http_referer '             '"$http_user_agent" '            '"$connection" '            '"$http_cookie" '            '$request_time '            '$upstream_response_time';

2、安裝配置filebeat，啟用nginx module

tar -zxvf filebeat-6.2.4-linux-x86_64.tar.gz -C /usr/localcd /usr/local;ln -s filebeat-6.2.4-linux-x86_64 filebeatcd /usr/local/filebeat

啟用nginx模塊

./filebeat modules enable nginx

查看模塊

./filebeat modules list

創(chuàng)建配置文件

vim /usr/local/filebeat/blog_module_logstash.ymlfilebeat.modules:- module: nginx access:  enabled: true  var.paths: ["/home/weblog/blog.cnfol.com_access.log"] #error: # enabled: true # var.paths: ["/home/weblogerr/blog.cnfol.com_error.log"]output.logstash: hosts: ["192.168.15.91:5044"]

啟動(dòng)filebeat

./filebeat -c blog_module_logstash.yml -e

3、配置logstash

tar -zxvf logstash-6.2.4.tar.gz /usr/localcd /usr/local;ln -s logstash-6.2.4 logstash創(chuàng)建一個(gè)nginx日志的pipline文件cd /usr/local/logstash

logstash內(nèi)置的模板目錄

vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns

編輯 grok-patterns 添加一個(gè)支持多ip的正則

FORWORD (?:%{IPV4}[,]?[ ]?)+|%{WORD}

官方grok

http://grokdebug.herokuapp.com/patterns#

創(chuàng)建logstash pipline配置文件

#input {# stdin {}#}# 從filebeat接受數(shù)據(jù)input { beats { port => 5044 host => "0.0.0.0" }}filter { # 添加一個(gè)調(diào)試的開關(guān) mutate{add_field => {"[@metadata][debug]"=>true}} grok { # 過濾nginx日志 #match => { "message" => "%{NGINXACCESS_TEST2}" } #match => { "message" => '%{IPORHOST:clientip} # (?<http_x_forwarded_for>[^/#]*) # /[%{HTTPDATE:[@metadata][webtime]}/] # %{NOTSPACE:hostname} # %{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion} # %{NUMBER:response} # (?:%{NUMBER:bytes}|-) # (?:"(?:%{NOTSPACE:referrer}|-)"|%{NOTSPACE:referrer}|-) # (?:"(?<http_user_agent>[^#]*)") # (?:"(?:%{NUMBER:connection}|-)"|%{NUMBER:connection}|-) # (?:"(?<cookies>[^#]*)") # %{NUMBER:request_time:float} # (?:%{NUMBER:upstream_response_time:float}|-)' } #match => { "message" => '(?:%{IPORHOST:clientip}|-) (?:%{TWO_IP:http_x_forwarded_for}|%{IPV4:http_x_forwarded_for}|-) /[%{HTTPDATE:[@metadata][webtime]}/] (?:%{HOSTNAME:hostname}|-) %{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion} %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{NOTSPACE:referrer}|-)"|%{NOTSPACE:referrer}|-) %{QS:agent} (?:"(?:%{NUMBER:connection}|-)"|%{NUMBER:connection}|-) (?:"(?<cookies>[^#]*)") %{NUMBER:request_time:float} (?:%{NUMBER:upstream_response_time:float}|-)' }    match => { "message" => '(?:%{IPORHOST:clientip}|-) %{FORWORD:http_x_forwarded_for} /[%{HTTPDATE:[@metadata][webtime]}/] (?:%{HOSTNAME:hostname}|-) %{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion} %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:"(?:%{NOTSPACE:referrer}|-)"|%{NOTSPACE:referrer}|-) %{QS:agent} (?:"(?:%{NUMBER:connection}|-)"|%{NUMBER:connection}|-) %{QS:cookie} %{NUMBER:request_time:float} (?:%{NUMBER:upstream_response_time:float}|-)' } } # 將默認(rèn)的@timestamp(beats收集日志的時(shí)間)的值賦值給新字段@read_tiimestamp ruby {  #code => "event.set('@read_timestamp',event.get('@timestamp'))" #將時(shí)區(qū)改為東8區(qū) code => "event.set('@read_timestamp',event.get('@timestamp').time.localtime + 8*60*60)" } # 將nginx的日志記錄時(shí)間格式化 # 格式化時(shí)間 20/May/2015:21:05:56 +0000 date { locale => "en" match => ["[@metadata][webtime]","dd/MMM/yyyy:HH:mm:ss Z"] } # 將bytes字段由字符串轉(zhuǎn)換為數(shù)字 mutate { convert => {"bytes" => "integer"} } # 將cookie字段解析成一個(gè)json #mutate { # gsub => ["cookies",'/;',','] #}  # 如果有使用到cdn加速http_x_forwarded_for會(huì)有多個(gè)ip，第一個(gè)ip是用戶真實(shí)ip if[http_x_forwarded_for] =~ ", "{     ruby {         code => 'event.set("http_x_forwarded_for", event.get("http_x_forwarded_for").split(",")[0])'        }    } # 解析ip，獲得ip的地理位置 geoip { source => "http_x_forwarded_for" # # 只獲取ip的經(jīng)緯度、國(guó)家、城市、時(shí)區(qū) fields => ["location","country_name","city_name","region_name"]  } # 將agent字段解析,獲得瀏覽器、系統(tǒng)版本等具體信息 useragent { source => "agent" target => "useragent" } #指定要?jiǎng)h除的數(shù)據(jù) #mutate{remove_field=>["message"]} # 根據(jù)日志名設(shè)置索引名的前綴 ruby { code => 'event.set("@[metadata][index_pre]",event.get("source").split("/")[-1])' }  # 將@timestamp 格式化為2019.04.23 ruby { code => 'event.set("@[metadata][index_day]",event.get("@timestamp").time.localtime.strftime("%Y.%m.%d"))' } # 設(shè)置輸出的默認(rèn)索引名 mutate { add_field => {  #"[@metadata][index]" => "%{@[metadata][index_pre]}_%{+YYYY.MM.dd}"  "[@metadata][index]" => "%{@[metadata][index_pre]}_%{@[metadata][index_day]}" } } # 將cookies字段解析成json# mutate {# gsub => [#  "cookies", ";", ",",#  "cookies", "=", ":"# ]# #split => {"cookies" => ","}# }# json_encode {# source => "cookies"# target => "cookies_json"# }# mutate {# gsub => [#  "cookies_json", ',', '","',#  "cookies_json", ':', '":"'# ]# }# json {# source => "cookies_json"# target => "cookies2"# } # 如果grok解析存在錯(cuò)誤，將錯(cuò)誤獨(dú)立寫入一個(gè)索引 if "_grokparsefailure" in [tags] { #if "_dateparsefailure" in [tags] { mutate {  replace => {  #"[@metadata][index]" => "%{@[metadata][index_pre]}_failure_%{+YYYY.MM.dd}"  "[@metadata][index]" => "%{@[metadata][index_pre]}_failure_%{@[metadata][index_day]}"  } } # 如果不存在錯(cuò)誤就刪除message }else{ mutate{remove_field=>["message"]} }}output { if [@metadata][debug]{ # 輸出到rubydebuyg并輸出metadata stdout{codec => rubydebug{metadata => true}} }else{ # 將輸出內(nèi)容轉(zhuǎn)換成 "." stdout{codec => dots}  # 將輸出到指定的es elasticsearch {  hosts => ["192.168.15.160:9200"]  index => "%{[@metadata][index]}"  document_type => "doc" }  }}