nginx日志格式为:
log_format main '$remote_addr [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" $upstream_response_time';
access_log /home/log/nginx/access.log main;
nginx服务器上的logstash配置为:
input {
file {
path => ["/home/log/nginx/access.log"]
}
}
filter {
grok {
match => {
#"message" => "%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" \"(?<http_user_agent>\S+)\" \"(?<http_x_forwarded_for>\S+)\""
"message" => "%{IPORHOST:clientip} \[%{HTTPDATE:time}\] \"%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:http_status_code} %{NUMBER:bytes} \"(?<http_referer>\S+)\" %{NUMBER:response_time}"
}
}
mutate {
convert => ["response_time", "float"]
}
}
output {
elasticsearch {
hosts => ["192.168.6.11:9200"]
index => "nginx-%{+YYYY.MM.dd}"
workers => 1
flush_size => 1
idle_flush_time => 1
template_overwrite => true
}
}