vim /etc/nginx/nginx.conf log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; access_log /var/log/nginx/access.log main; nginx -s reload
第二步,编写nginx-patterns文件
NGINX_ACCESS %{IPORHOST:remote_addr} - %{USERNAME:remote_user} [%
{HTTPDATE:time_local}] "%{DATA:request}" %{INT:status} %{NUMBER:bytes_sent} "%
{DATA:http_referer}" "%{DATA:http_user_agent}"
第三步,修改haoke-pipeline.conf文件
input { beats { port => "5044" } } filter { grok { patterns_dir => "/haoke/logstash-6.5.4/nginx-patterns" match => { "message" => "%{NGINX_ACCESS}"} remove_tag => [ "_grokparsefailure" ] add_tag => [ "nginx_access" ] } } output { stdout { codec => rubydebug } }