1.本次采用的一台主机,将所有的软件安装一台上进行测试工作。
2.安装部署:https://blog.51cto.com/hwg1227/2299995
3.简单调试
输出rubydebug
input{
file {
path => "/usr/local/log_test/*/*/*.log"
start_position => "beginning"
}
}output {
elasticsearch {
hosts => ["10.0.0.92:9200"]
index => "myre-%{+YYY.MM.dd}"
}
stdout {codec => rubydebug}
}---------------------
原文:https://blog.csdn.net/yelllowcong/article/details/80847425log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" $request_time';5.filter的定义 参考
filter {
grok {
match => { "message" => "%{IPORHOST:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:time}\] \"%{WORD:method} %{DATA:url} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:body_sent:bytes} \"%{DATA:referrer}\" \"%{DATA:agent}\" \"%{DATA:x_forwarded_for}\" %{NUMBER:request_time}" }
# remove_field => "message"
}
}########################################################
1.目标定义好nginx的日志格式为json格式。分割成多份。demo:统计11:00 - 11:50的404status状态的访问
2.nginx的日志格式
参考:https://www.linuxidc.com/Linux/2017-12/149811.htm
[root@rbtnode1 nginx]# cat /usr/local/nginx/conf/nginx.conf|egrep -v '#|^$'
。。。
http {
include mime.types;
default_type application/octet-stream;
log_format json '{ "@timestamp": "$time_iso8601", '
'"time": "$time_iso8601", '
'"remote_addr": "$remote_addr", '
'"remote_user": "$remote_user", '
'"body_bytes_sent": "$body_bytes_sent", '
'"request_time": "$request_time", '
'"status": "$status", '
'"host": "$host", '
'"request": "$request", '
'"request_method": "$request_method", '
'"uri": "$uri", '
'"http_referrer": "$http_referer", '
'"body_bytes_sent":"$body_bytes_sent", '
'"http_x_forwarded_for": "$http_x_forwarded_for", '
'"http_user_agent": "$http_user_agent" '
'}';
access_log /var/log/nginx/access.log json;
sendfile on;
keepalive_timeout 65;
。。。
}3.logstash的配置文件,连接es
[root@VM_0_92_centos bin]# cat ../config/nginxdemojson.conf
input{
file {
path => "/var/log/nginx/access.log"
codec => "json"
}
}
filter{
}
output {
elasticsearch {
hosts => ["10.0.0.92:9200"]
index => "demo-%{+YYY.MM.dd}"
}
stdout {codec => rubydebug}
}---------------------------------------------------------------------------------------------------------------------
3.修改配置文件
vim config/elasticsearch.yml
#修改为自己的ip
network.host: x.x.x.x
#把这个注释先放开
cluster.initial_master_nodes: ["node-1", "node-2"]4.修改limit文件
vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
* soft nproc 4096
* hard nproc 4096
vi /etc/sysctl.conf
vm.max_map_count=262144
sysctl -p
用一个例子来演示会更加清晰