收集日志的兩種方式
ELK收集日志的有兩種常用的方式:
- 不修改源日志格式,簡單的說就是在logstash中轉通過 grok方式進行過濾處理,將原始無規則的日志轉換為規則日志(Logstash自定義日志格式)
- 修改 源日志格式,將需要的日志格式進行規則輸出,logstash只負責日志的收集和傳輸,不對日志做任何過濾處理(filebeat生產者自定義日志格式)
優缺點:
首先我們來看下不修改源日志格式,這樣Logstash會通過grok來處理分析,對線上業務無任何影響;但是在高壓環境下,Logstash中的grok會成為性能瓶頸,最終會阻塞正常的日志輸出,所以,在Logsatsh中,盡量不要使用grok過濾功能
第二種是修改 源日志格式,也就是在收集生產日志的過程中,自定義日志格式,雖然有一定的工作量,但是優勢很明顯,因為是實現定義好了日志輸出格式,logstash那就只負責收集和傳輸了,這樣大大減輕了logstash負擔,可以更高效的收集和傳輸日志;是企業首選方案
自定義nginx日志格式
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
#關鍵配置start
map $http_x_forwarded_for $clientRealIp {
"" $remote_addr;
~^(?P<firstAddr>[0-9\.]+),?.*$ $firstAddr;
}
log_format nginx_log_json '{"accessip_list":"$proxy_add_x_forwarded_for","client_ip":"$clientRealIp","http_host":"$host","@timestamp":"$time_iso8601","method":"$request_method","url":"$request_uri","status":"$status","http_referer":"$http_referer","body_bytes_sent":"$body_bytes_sent","request_time":"$request_time","http_user_agent":"$http_user_agent","total_bytes_sent":"$bytes_sent","server_ip":"$server_addr"}';
access_log /var/log/nginx/access.log nginx_log_json;
#關鍵配置end
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
輸出的nginx日志
{
"accessip_list": "183.197.x.x",
"client_ip": "183.197.x.x",
"http_host": "xgzx.admin.talkmed.com",
"@timestamp": "2020-08-23T08:19:06+08:00",
"method": "POST",
"url": "/webapi/sessions/comments",
"status": "200",
"http_referer": "http://xgzx.talkmed.com/meeting/live?id=68",
"body_bytes_sent": "6481",
"request_time": "0.111",
"http_user_agent": "Mozilla/5.0 (iPad; CPU OS 12_4_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.15(0x17000f24) NetType/WIFI Language/zh_CN",
"total_bytes_sent": "7820",
"server_ip": "x.x.175.39"
}
字段解釋
accessip_list:輸出時代理疊加而成的IP地址列表
client_ip:客戶端訪問真實IP
http_host:客戶端請求的地址,也就是瀏覽器輸入的IP或者域名
@timestamp:時間戳,表示請求的時間
method:表示HTTP請求方法,通常為“GET”或者“POST”
url:表示客戶端請求參數的原始URL
status:表示請求狀態
http_reserer:表示來源頁面,即從哪個頁面請求過來的,專業名稱叫referer
body_bytes_sent:表示發送客戶端的字節數,不包括響應頭的大小
request_time:表示請求處理時間,單位為秒,精度毫秒
http_user_agent:表示用戶瀏覽器信息,例如瀏覽器版本,類型等
total_bytes_sent:表示傳輸給客戶端字節數
server_ip:表示本地服務器的IP地址信息
filebeat配置
配置文件路徑/etc/filebeat/filebeat.yml
inputs輸入配置,配置項enabled: false,是否生效,默認是生效的,下面第一個log配置不生效,第二個生效
# ============================== Filebeat inputs ===============================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: false
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
- type: log
paths:
- /usr/local/nginx/logs/nginx_access.log
fields:
index: 'nginx_access_log'
當有多個input需要配置時,只要設置多個input即可,其key是不同的
output輸出配置,這里輸出到redis
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
# Array of hosts to connect to.
# hosts: ["localhost:9200"]
output.redis:
hosts: ["x.x.53.36:8417"]
password: ""
db: 0
timeout: 5
key: "%{[fields.index]:otherIndex}"
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
#username: "elastic"
#password: "changeme"
重啟filebeat,當log文件有內容,進入到redis通過下面命令,可以看到對應的log內容
lleng nginx_access_log
lrange nginx_access_log 0 -1