- 编写配置文件, 从 Nginx access.log, error.log 中解析日志数据
input {
file {
type => "nginx-access"
path => "/var/nginx/access.log"
start_position => beginning
ignore_older => 0
}
file {
type => "nginx-error"
path => "/var/nginx/error.log"
start_position => beginning
ignore_older => 0
}
}
filter {
if [type] == "nginx-access" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}" }
}
} else if [type] == "nginx-error" {
grok {
match => [ "message" , "(?<timestamp>%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}(?:, client: (?<clientip>%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOST:server}?)(?:, request: %{QS:request})?(?:, upstream: (?<upstream>\"%{URI}\"|%{QS}))?(?:, host: %{QS:request_host})?(?:, referrer: \"%{URI:referrer}\")?"]
}
}
geoip {
source => "clientip"
}
}
output {
elasticsearch {
index => "%{type}-%{+YYYY.MM.dd}"
}
file {
path => "~/nginx-logstash.output"
}
}