grok作为一个logstash的过滤插件,支持根据模式解析文本日志行,拆成字段。
- nginx日志的配置:
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
- logstash中grok的正则(添加在logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-xxx/patterns/grok-patterns文件中)为:
WZ ([^ ]*) NGINXACCESS %{IP:remote_ip} \- \- \[%{HTTPDATE:timestamp}\] "%{WORD:method} %{WZ:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:status} %{NUMBER:bytes} %{QS:referer} %{QS:agent} %{QS:xforward}
logstash的配置为:
input { file { path => ["/var/log/nginx/access.log"] type => "nginxlog" start_position => "beginning" } } filter { grok { match => { "message" => "%{NGINXACCESS}" } } } output { stdout { codec => rubydebug } }
logstash的输出:
{ "message" => "192.168.154.2 - - [30/Mar/2017:01:27:09 -0700] \"GET /index.html HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36\" \"-\"", "@version" => "1", "@timestamp" => "2017-03-30T08:27:09.539Z", "path" => "/var/log/nginx/access.log", "host" => "spark4", "type" => "nginxlog", "remote_ip" => "192.168.154.2", "timestamp" => "30/Mar/2017:01:27:09 -0700", "method" => "GET", "request" => "/index.html", "httpversion" => "1.1", "status" => "304", "bytes" => "0", "referer" => "\"-\"", "agent" => "\"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36\"", "xforward" => "\"-\"" }