Проект

Общее

Профиль

Logstash » История » Версия 2

Константин Пильник, 2022-10-14 13:48

1 1 Константин Пильник
h1. Logstash
2
3
h2. разбираем лог syslog
4
5
{{collapse(logstash.conf)
6
input {
7
  file {
8
    type => "message"
9
    path => [ "/var/log/messages" ]
10
    start_position => "end"
11
    stat_interval => 1
12
    discover_interval => 3
13
  }
14
}
15
16
filter {
17
  if [type] == "message" {
18
    grok {
19
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:\s+%{GREEDYDATA:syslog_message}" }
20
    }
21
    date {
22
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
23
    }
24
  }
25
}
26
27
output {
28
  stdout {}
29
}
30
}}
31
32
h2. разбираем лог nginx из файловой системы
33
34
{{collapse(nginx.conf)
35
<pre>
36
log_format json_combined escape=json
37
  '{'
38
    '"time_local":"$time_local",'
39
    '"remote_addr":"$remote_addr",'
40
    '"remote_user":"$remote_user",'
41
    '"request":"$request",'
42
    '"status": "$status",'
43
    '"body_bytes_sent":"$body_bytes_sent",'
44
    '"request_time":"$request_time",'
45
    '"http_referrer":"$http_referer",'
46
    '"http_user_agent":"$http_user_agent"'
47
  '}';
48
access_log /var/log/nginx/access.log json_combined;
49
</pre>
50
}}
51
{{collapse(logstash.conf)
52
<pre><code class="javascript">
53
input {
54
  file {
55
    type => "nginx"
56
    path => [ "/var/log/nginx/access.log" ]
57
    start_position => "end"
58
  }
59
}
60
61
filter {
62
  if [type] == "nginx" {
63
    json {
64
      source => "message"
65
    }
66
  }
67
}
68
69
output {
70
  stdout {}
71
}
72
</code></pre>
73
}}
74
75
h2. разбираем лог nginx из syslog
76
77
{{collapse(nginx.conf)
78
<pre>
79
log_format json_combined escape=json
80
  '{'
81
    '"time_local":"$time_local",'
82
    '"remote_addr":"$remote_addr",'
83
    '"remote_user":"$remote_user",'
84
    '"request":"$request",'
85
    '"status": "$status",'
86
    '"body_bytes_sent":"$body_bytes_sent",'
87
    '"request_time":"$request_time",'
88
    '"http_referrer":"$http_referer",'
89
    '"http_user_agent":"$http_user_agent"'
90
  '}';
91
access_log syslog:server=unix:/dev/log,tag=nginx,severity=error,nohostname json_combined;
92
</pre>
93
}}
94
{{collapse(logstash.conf)
95
input {
96
  file {
97
    type => "syslog"
98
    path => [ "/var/log/syslog" ]
99
    start_position => "end"
100
  }
101
}
102
103
filter {
104
  if [type] == "syslog" {
105
    grok {
106
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:\s+%{GREEDYDATA:syslog_message}" }
107
    }
108
    json {
109
      source => "[syslog_message]"
110
      target => "[nginx_message]"
111
    }
112
  }
113
}
114
115
output {
116
  stdout {}
117
}
118
}}
119
120
121 2 Константин Пильник
h3. ссылки
122
123 1 Константин Пильник
https://www.elastic.co/guide/en/logstash/current/input-plugins.html
124
https://www.elastic.co/guide/en/logstash/current/filter-plugins.html
125
https://www.elastic.co/guide/en/logstash/current/output-plugins.html