logstash通过rsyslog对nginx的日志收集和分析_服务器

logstash通过rsyslog对nginx的日志收集和分析

logstash根据rsyslog收集和分析nginx日志

http://bbotte.blog.51cto.com/6205307/1613571物流公司。d性研究与咨询公司。kibana的安装和设备

在http://bbotte.blog.51cto.com/6205307/1614453,的这篇文章中，使用nginx修复漏洞的方法来完成rsyslog对nginx日志的分析，但互联网上的自然环境却大不相同。这里nginx的日志是根据rsyslog直接上传到logstash网络服务器的，所以不需要改动nginx，比较简洁明了。

Nginx服务器

nginx的环境变量不需要修改。示例:

[root@db2 ~]# grep -v ^.*# /usr/local/nginx/conf/nginx.conf|sed '/^$/d' worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; index index.html; #默认设置配备，改动了下边两行 root /var/www; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }

Rsyslog设置

[root@db2 ~]# grep -v ^# /etc/rsyslog.conf|sed '/^$/d' $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) $ModLoad imfile # imfile控制模块务必开启 Load the imfile input module $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log #下边是nginx的设定 $InputFileName /var/log/nginx/error.log $InputFileTag kibana-nginx-errorlog: $InputFileStateFile state-kibana-nginx-errorlog $InputRunFileMonitor $InputFileName /var/log/nginx/access.log $InputFileTag kibana-nginx-accesslog: $InputFileStateFile state-kibana-nginx-accesslog $InputRunFileMonitor $InputFilePollInterval 10 #等候10秒左右推送一次 if $programname == 'kibana-nginx-errorlog' then @192.168.10.1:514 if $programname == 'kibana-nginx-errorlog' then ~ if $programname == 'kibana-nginx-accesslog' then @192.168.10.1:514 if $programname == 'kibana-nginx-accesslog' then ~ *.* @192.168.10.1:514

配备:

$InputFileTag定义的名称必须是唯一的，同一台服务器上的不同应用要应用不同的名称，否则新定义的标签无效；

$InputFileStateFile定义的StateFile必须是唯一的，它被rsyslog用来记录上传文件的进度，否则会造成混乱；

@192.168.10.1:514用于指定接受日志的服务器的域名或IP地址；

如有必要，添加$InputFileSeverity信息

然后重新启动rsyslog服务项目

[root@db2 ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]

nginx的日志已经链接到logstashweb服务器的/var/log/messages，如下图所示。

Logstash.conf配备了

input { file { type => "syslog" # path => [ "/var/log/*.log", "/var/log/messages", "/var/log/syslog" ] path => [ "/var/log/messages" ] sincedb_path => "/var/sincedb" } redis { host => "192.168.10.1" type => "redis-input" data_type => "list" key => "logstash" } syslog { type => "syslog" port => "5544" } } filter { grok { type => "syslog" match => [ "message", "%{SYSLOGBASE2}" ] add_tag => [ "syslog", "grokked" ] } } output { elasticsearch { host => "192.168.10.1" } }

nginx日志:

2月26日14:41:47DB2kibana-nginx-accesslog:192.168.10.50---[26/Feb/2015:14:41:420800]"GET/HTTP/1.1"3040"-"Mozilla/5.0(WindowsNT6.2；WOW64三叉戟/7.0；rv:11.0)像壁虎LBBROWSER""-"

Logstashpage:

参考:

https://medium.com/@ThomasDecaux/exploit-nginx-access-log-with-rsyslog-logstash-elasticsearch-and-kiBana-48ab5c71b42d

https://blog.basefarm.com/blog/how-to-install-logstash-with-kiBana-interface-on-rhel/

http://ialloc.org/posts/2014/07/06/nginx-notes-log-syslog/

http://w.gdu.me/wiki/Linux/rsyslog_logrotate.html

http://xstarcd.github.io/wiki/Linux/rsyslog_logrotate.html

欢迎分享，转载请注明来源：内存溢出

原文地址: http://outofmemory.cn/zz/783667.html

logstash通过rsyslog对nginx的日志收集和分析

发表评论

评论列表（0条）