apt install nginx -y 或
yum install nginx -y
#/usr/sbin/nginx:主程序
#/etc/nginx:存放配置文件
#/usr/share/nginx:存放静态文件
#/var/log/nginx:存放日志
#nginx服务命令
service nginx {start|stop|restart|reload|forcereload|status|configtest|rotate|upgrade}
#通过浏览器访问页面并且查看日志
#访问地址:http://192.168.1.7/
tail -f /var/log/nginx/access.log
配置filebeat
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
tags: ["log"]
fields:
from: nginx
fields_under_root: false
output.logstash:
hosts: ["106.14.217.165:5044"]
./filebeat -e -c haoke-nginx.yml
配置logstash
vim haoke-pipeline.conf
#输入如下内容:
input {
beats {
port => "5044"
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
# filter {
#
# }
output {
stdout { codec => rubydebug }
}
#启动 --config.test_and_exit 用于测试配置文件是否正确
bin/logstash -f haoke-pipeline.conf --config.test_and_exit
#[INFO ][logstash.runner] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
#正式启动 --config.reload.automatic 热加载配置文件,修改配置文件后无需重新启动
bin/logstash -f haoke-pipeline.conf --config.reload.automatic
配置filter
vim /etc/nginx/nginx.conf
log_format main '$remote_addr-$remote_user [$time_local]'
'"$request"$status $body_bytes_sent'
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main_;
nginx -s reload
编写nginx-patterns文件
NGINX_ACCESS %{IPORHOST:remote_addr} - %{USERNAME:remote_user} \[%{HTTPDATE:time_local}\] \"%{DATA:request}\" %{INT:status} %{NUMBER:bytes_sent} \"%{DATA:http_referer}\" \"%{DATA:http_user_agent}\"
修改haoke-pipeline.conf文件
vim haoke-pipeline.conf
input {
beats {
port => "5044"
}
}
filter {
grok {
patterns_dir => "/haoke/logstash-6.5.4/nginx-patterns"
match => { "message" => "%{NGINX_ACCESS}"}
remove_tag => [ "_grokparsefailure" ]
add_tag => [ "nginx_access" ]
}
}
output {
stdout { codec => rubydebug }
}
./filebeat -e -c haoke-nginx.yml
bin/logstash -f haoke-pipeline.conf --config.reload.automatic
input {
beats {
port => "5044"
}
}
filter {
grok {
patterns_dir => "/haoke/beats/logstash-6.5.4/nginx-patterns"
match => { "message" => "%{NGINX_ACCESS}"}
remove_tag => [ "_grokparsefailure" ]
add_tag => [ "nginx_access" ]
}
}
output {
elasticsearch {
hosts => [ "106.14.217.165:9200"]
}
}
./filebeat -e -c haoke-nginx.yml
bin/logstash -f haoke-pipeline.conf --config.reload.automatic