nginx日志接入logstash
input {
file {
type => "log"
path => "/usr/local/nginx/logs/gateway_access.log"
}
}
filter {
grok {
match => {
"message" => "^%{IPORHOST:clientip} (?:-|%{USER:ident}) (?:-|%{USER:auth}) \[%{HTTPDATE:[@metadata]timestamp}\] %{NOTSPACE:method} %{NOTSPACE:url}"
}
remove_field => ["message"]
}
mutate {
split => ["url", "?"]
add_field => ["url_params", "%{url[1]}"]
remove_field => ["url"]
}
mutate {
split => ["url_params","&"]
add_field => ["cdid_info", "%{url_params[0]}"]
add_field => ["elapsedTime_info", "%{url_params[1]}"]
add_field => ["os_info", "%{url_params[2]}"]
add_field => ["time_info", "%{url_params[3]}"]
add_field => ["uid_info", "%{url_params[4]}"]
add_field => ["wt_info", "%{url_params[5]}"]
remove_field => ["url_params"]
}
mutate {
split => ["cdid_info", "="]
add_field => ["cdid", "%{cdid_info[1]}"]
remove_field => ["cdid_info"]
}
mutate {
split => ["elapsedTime_info", "="]
add_field => ["elapsedTime", "%{elapsedTime_info[1]}"]
remove_field => ["elapsedTime_info"]
}
mutate {
split => ["os_info", "="]
add_field => ["os", "%{os_info[1]}"]
remove_field => ["os_info"]
}
mutate {
split => ["time_info", "="]
add_field => ["time", "%{time_info[1]}"]
remove_field => ["time_info"]
}
mutate {
split => ["uid_info", "="]
add_field => ["uid", "%{uid_info[1]}"]
remove_field => ["uid_info"]
}
mutate {
split => ["wt_info", "="]
add_field => ["wt", "%{wt_info[1]}"]
remove_field => ["wt_info"]
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200" #ElasticSearch host, can be array
index => "gateway_access_nginx01" #index
}
# 该命令是将结果输出到控制台
#stdout { codec => rubydebug }
}
cd 到 conf 文件目录下
检查配置是否正确
../bin/logstash -f ./nginx.conf -t
../bin/logstash -f ./nginx.conf