首页 > 系统相关 >nginx + graylog 对于日志进行管理的一个实践

nginx + graylog 对于日志进行管理的一个实践

时间:2022-12-09 13:34:09浏览次数:90  
标签:body http addr time request nginx graylog upstream 日志

以下整理一个自己结合ngin+graylog 进行日志处理的实践,可以参考

日志参考玩法

 

 

 

参考配置

  • log format
    参考如下,可以配置一些符合自己业务的log format 不同业务配置使用
 
log_format  main  '$remote_addr - $remote_user [$time_local] requesthost:"$http_host"; "$request" requesttime:"$request_time"; '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';
log_format graylog2_json escape=json '{ "timestamp": "$time_local", '
                    '"remote_addr": "$remote_addr", '
                    '"body_bytes_sent": $body_bytes_sent, '
                    '"request_time": $request_time, '
                    '"response_status": $status, '
                    '"request": "$request", '
                    '"request_method": "$request_method", '
                    '"host": "$host",'
                    '"request_body":"$request_body",'
                     '"source_ip": "$http_x_forwarded_for",'
                    '"upstream_cache_status": "$upstream_cache_status",'
                    '"upstream_addr": "$upstream_addr",'
                    '"upstream_response_time": "$upstream_response_time",'
                    '"http_x_forwarded_for": "$http_x_forwarded_for",'
                    '"http_referrer": "$http_referer", '
                     '"http_user_agent": "$http_user_agent",'
                    '"realip":"$realip_remote_addr"}';
 
log_format graylog3_json escape=json '{ "timestamp": "$time_local", '
                    '"remote_addr": "$remote_addr", '
                    '"body_bytes_sent": $body_bytes_sent, '
                    '"request_time": $request_time, '
                    '"response_status": $status, '
                    '"request": "$request", '
                    '"request_method": "$request_method", '
                    '"host": "$host",'
                    '"request_body":"$request_body",'
                    '"response_body":"$resp_body",'
                    '"upstream_cache_status": "$upstream_cache_status",'
                    '"upstream_addr": "$upstream_addr",'
                    '"http_x_forwarded_for": "$http_x_forwarded_for",'
                    '"source_ip": "$http_x_forwarded_for",'
                    '"upstream_response_time": "$upstream_response_time",'
                    '"http_referrer": "$http_referer", '
                    '"http_user_agent": "$http_user_agent",'
                    '"realip":"$realip_remote_addr"}';
 
log_format graylog4_json escape=json '{ "timestamp": "$time_local", '
                    '"remote_addr": "$remote_addr", '
                    '"body_bytes_sent": $body_bytes_sent, '
                    '"request_time": $request_time, '
                    '"response_status": $status, '
                    '"request": "$request", '
                    '"request_method": "$request_method", '
                    '"host": "$host",'
                    '"request_body":"$request_body",'
                    '"response_body":"$resp_body",'
                    '"upstream_cache_status": "$upstream_cache_status",'
                    '"upstream_addr": "$upstream_addr",'
                    '"http_x_forwarded_for": "$http_x_forwarded_for",'
                    '"source_ip": "$http_x_forwarded_for",'
                    '"source_ip_fromf5": "$http_myip",'
                    '"http_referrer": "$http_referer", '
                    '"upstream_response_time": "$upstream_response_time",'
                    '"http_user_agent": "$http_user_agent",'
                    '"realip":"$realip_remote_addr"}';
log_format graylog5_json escape=json '{ "timestamp": "$time_local", '
                    '"remote_addr": "$remote_addr", '
                    '"body_bytes_sent": $body_bytes_sent, '
                    '"request_time": $request_time, '
                    '"response_status": $status, '
                    '"request": "$request", '
                    '"request_method": "$request_method", '
                    '"host": "$host",'
                    '"source_ip": "$http_x_forwarded_for",'
                    '"upstream_cache_status": "$upstream_cache_status",'
                    '"upstream_addr": "$upstream_addr",'
                    '"upstream_response_time": "$upstream_response_time",'
                    '"http_x_forwarded_for": "$http_x_forwarded_for",'
                    '"http_referrer": "$http_referer", '
                    '"http_user_agent": "$http_user_agent",'
                    '"realip":"$realip_remote_addr"}';
log_format graylog6_json escape=json '{ "timestamp": "$time_local", '
                    '"remote_addr": "$remote_addr", '
                    '"body_bytes_sent": $body_bytes_sent, '
                    '"request_time": $request_time, '
                    '"response_status": $status, '
                    '"request": "$request", '
                    '"request_method": "$request_method", '
                    '"host": "$host",'
                    '"request_body":"$request_body",'
                    '"response_body":"$resp_body",'
                    '"upstream_cache_status": "$upstream_cache_status",'
                    '"upstream_addr": "$upstream_addr",'
                    '"http_x_forwarded_for": "$http_x_forwarded_for",'
                    '"source_ip": "$http_x_forwarded_for",'
                    '"upstream_response_time": "$upstream_response_time",'
                    '"http_referrer": "$http_referer", '
                    '"http_cookie": "$http_cookie",'
                    '"http_user_agent": "$http_user_agent",'
                    '"realip":"$realip_remote_addr"}';
log_format log2  escape=json  '$remote_addr  $time_local  $request_method  $request_uri  $status  $request_time  "$request_body"';
  • 公共部分
user root;
worker_processes  auto;
worker_cpu_affinity auto;
error_log logs/error.log error;
error_log syslog:server=<ssylog serbver>:12407,tag=lb_ingress_error error;
events {
    use epoll;
    worker_connections  655360;
}
http {
    include common/*.conf;
    include app/*.conf;
}
  • 业务系统
upstream xxxxxx {
        # simple round-robin
        least_conn;
        server xxxxx:80;
        #check interval=1000 rise=2 fall=5 timeout=1000 type=http;
        #check_http_send "HEAD / HTTP/1.0\r\n\r\n";
        #check_http_expect_alive http_2xx http_3xx;
}
   
server {
    listen       80;
    server_name  xxxxx;
    # 按需配置 access_log
    access_log syslog:server=xxxxx:12401 graylog3_json;
    location / {
        return 301 https://$host$request_uri;
    }
}
 
server {
    listen 443 ssl http2;
    server_name  xxxxxxx;
    ssl_certificate ssl/xxxxx.pem;
    ssl_certificate_key ssl/xxxxxx.key;
    # 按需配置 access_log
    access_log syslog:server=xxxxxx:12401 graylog3_json;
    location / {
        # 按需配置 access_log
        access_log syslog:server=xxxxxx:12401 graylog3_json;
        // 基于openresty 进行response 数据处理,按需配置
        body_filter_by_lua_block {
                local resp_body = string.sub(ngx.arg[1], 1, 1000)
                ngx.ctx.buffered = string.sub((ngx.ctx.buffered or "") .. resp_body, 1, 1000)
               -- arg[2] is true if this is the last chunk
                 if ngx.arg[2] then
                  ngx.var.resp_body = ngx.ctx.buffered
                end
        }
        proxy_set_header Host $http_hotst;
        proxy_set_header X-Forwarded-For $remote_addr;
        client_body_buffer_size 10M;
        client_max_body_size 10G;
        proxy_buffers 1024 4k;
        proxy_read_timeout 300;
        proxy_pass http://xxxxxx;
    }
}

报警处理

graylog 支持alert(4.0 之后比较方便)

  • 参考图

 

 

 

 

 

  • 简单说明

基于graylog 的stream 以及rule 将不同的业务系统日志分散到不同的es 存储中,对于alert 会基stream 以及查询规则进行消息的通知,通知模式包含了email webhook

说明

基于graylog 比较完整的日志处理模式,对于nginx 以及一些业务系统的日志监控还是比较方便的,graylog 包含了比较完整的权限体系以及灵活的数据存储处理,是一个很不错的日志存储,检索以及报警处理平台,以上是自己的一个实践,上边只是一个简单的说明,实际上我以前也大概写过一些,可以参考

参考资料

https://go2docs.graylog.org/5-0/what_is_graylog/what_is_graylog.htm
https://www.cnblogs.com/rongfengliang/p/11251458.html

标签:body,http,addr,time,request,nginx,graylog,upstream,日志
From: https://www.cnblogs.com/rongfengliang/p/16968684.html

相关文章

  • springboot+mybatis+log4j日志sql输出和文件输出
    pom引入依赖:<dependency><!--排除spring-boot-starter-logging--><groupId>org.springframework.boot</groupId><artifactId>sprin......
  • 在nginx配置jenkins反向代理
    配置文件如下server{listen80;listen[::]:80;server_nameci.10086z.cn;location/{rewrite(.*)https://ci.10086z.cn$1permanent;try_files$uri$......
  • 宝塔严重未知安全性漏洞(宝塔面板或Nginx异常)
    问题简述论坛上的帖子https://www.bt.cn/bbs/thread-105054-1-1.htmlhttps://www.bt.cn/bbs/thread-105085-1-1.htmlhttps://hostloc.com/thread-1111691-1-1.html......
  • 如何在fluentd中设置日志级别?
    如何在fluentd中设置,日志级别? 通过在配置文件的,system指令,log_level参数,进行设置。 示例<system>log_levelerror</system>  fluentd中有哪些日志级别?......
  • Nginx的Keepalive的简单学习
    摘要最近发现某项目的Nginx负载服务器上面有很多Time_wait的TCP连接可以使用命令netstat-n|awk'/^tcp/{++S[$NF]}END{for(ainS)printa,S[a]}'当时反馈过......
  • SpringBoot统一日志管理
    Springboot中统一日志管理一、为什么要用日志?一般分为两个大类:操作日志和系统日志**操作日志:**用户在操作软件时记录下来的操作步骤,便于用户自己查看。主要针对的是用户。**......
  • k8s 1.19.11 Ingress-nginx 的部署
    官网地址:https://kubernetes.github.io/ingress-nginx/github:https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx参考文档:使用ingress......
  • SpringBoot中统一日志管理
    Springboot中统一日志管理一、为什么要用日志?一般分为两个大类:操作日志和系统日志**操作日志:**用户在操作软件时记录下来的操作步骤,便于用户自己查看。主要针对......
  • Linux日志审计
    本文为joshua317原创文章,转载请注明:转载自joshua317博客 https://www.joshua317.com/article/291常用命令find、grep、egrep、awk、sedLinux中常见日志以及位置/v......
  • ELK+Filebeat日志分析系统
    一、ELK简介ELK平台是一套完整的日志集中处理解决方案,将ElasticSearch、Logstash和Kiabana三个开源工具配合使用,完成更强大的用户对日志的查询、排序、统计需求。1......