环境:
- 192.168.177.251 ,安装ES 9200,kibana:5601
- 192.168.177.252安装了logstash:9600
登录到251上
[root@192 patterns]# pwd
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns
将创建好的nginx_access文件上传至这个目录下
[root@192 ~]# cd /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns/
[root@192 patterns]# vim nginx.conf
[root@192 patterns]# cat nginx.conf
NGINXACCESS %{IPORHOST:client_ip} (%{USER:ident}|- ) (%{USER:auth}|-) [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)" %{NUMBER:status} (?:%{NUMBER:bytes}|-) "(?:%{URI:referrer}|-)" "%{GREEDYDATA:agent}"
添加logstash的nginx 日志收集配置文件
[root@192 patterns]# cd /etc/logstash/conf.d/
[root@192 conf.d]# cp messages.conf nginx.conf
[root@192 conf.d]# vim nginx.conf
[root@192 conf.d]# cat nginx.conf
input {
file{
path =>"/var/log/nginx/access.log"
type => "nginx_log"
start_position =>"beginning"
}
}
filter{
grok {
match =>{"message"=>"%{NGINXACCESS}"}
}
}
output{
elasticsearch{
hosts=>"192.168.177.251:9200"
index=>"nginx_log-%{+YYYY.MM.dd}"
}
}
有多个日志收集文件,需要修改pipelines.yml(管道)文件
vim /etc/logstash/pipelines.yml - pipeline.id: messages path.config: "/etc/logstash/conf.d/messages.conf" - pipeline.id: nginx path.config: "/etc/logstash/conf.d/nginx.conf"
重启logstash
- systemctl restart logstash
- chmod 777 /var/log -R
如果web端没出现nginx索引,
yum -y install httpd-tools ab -n 1000 -c 1000 http://192.168.177.251/index.html
创建可视化
访问ip前十的地址
访问趋势
