Logstash » История » Версия 2
Константин Пильник, 2022-10-14 13:48
| 1 | 1 | Константин Пильник | h1. Logstash |
|---|---|---|---|
| 2 | |||
| 3 | h2. разбираем лог syslog |
||
| 4 | |||
| 5 | {{collapse(logstash.conf) |
||
| 6 | input { |
||
| 7 | file { |
||
| 8 | type => "message" |
||
| 9 | path => [ "/var/log/messages" ] |
||
| 10 | start_position => "end" |
||
| 11 | stat_interval => 1 |
||
| 12 | discover_interval => 3 |
||
| 13 | } |
||
| 14 | } |
||
| 15 | |||
| 16 | filter { |
||
| 17 | if [type] == "message" { |
||
| 18 | grok { |
||
| 19 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:\s+%{GREEDYDATA:syslog_message}" } |
||
| 20 | } |
||
| 21 | date { |
||
| 22 | match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] |
||
| 23 | } |
||
| 24 | } |
||
| 25 | } |
||
| 26 | |||
| 27 | output { |
||
| 28 | stdout {} |
||
| 29 | } |
||
| 30 | }} |
||
| 31 | |||
| 32 | h2. разбираем лог nginx из файловой системы |
||
| 33 | |||
| 34 | {{collapse(nginx.conf) |
||
| 35 | <pre> |
||
| 36 | log_format json_combined escape=json |
||
| 37 | '{' |
||
| 38 | '"time_local":"$time_local",' |
||
| 39 | '"remote_addr":"$remote_addr",' |
||
| 40 | '"remote_user":"$remote_user",' |
||
| 41 | '"request":"$request",' |
||
| 42 | '"status": "$status",' |
||
| 43 | '"body_bytes_sent":"$body_bytes_sent",' |
||
| 44 | '"request_time":"$request_time",' |
||
| 45 | '"http_referrer":"$http_referer",' |
||
| 46 | '"http_user_agent":"$http_user_agent"' |
||
| 47 | '}'; |
||
| 48 | access_log /var/log/nginx/access.log json_combined; |
||
| 49 | </pre> |
||
| 50 | }} |
||
| 51 | {{collapse(logstash.conf) |
||
| 52 | <pre><code class="javascript"> |
||
| 53 | input { |
||
| 54 | file { |
||
| 55 | type => "nginx" |
||
| 56 | path => [ "/var/log/nginx/access.log" ] |
||
| 57 | start_position => "end" |
||
| 58 | } |
||
| 59 | } |
||
| 60 | |||
| 61 | filter { |
||
| 62 | if [type] == "nginx" { |
||
| 63 | json { |
||
| 64 | source => "message" |
||
| 65 | } |
||
| 66 | } |
||
| 67 | } |
||
| 68 | |||
| 69 | output { |
||
| 70 | stdout {} |
||
| 71 | } |
||
| 72 | </code></pre> |
||
| 73 | }} |
||
| 74 | |||
| 75 | h2. разбираем лог nginx из syslog |
||
| 76 | |||
| 77 | {{collapse(nginx.conf) |
||
| 78 | <pre> |
||
| 79 | log_format json_combined escape=json |
||
| 80 | '{' |
||
| 81 | '"time_local":"$time_local",' |
||
| 82 | '"remote_addr":"$remote_addr",' |
||
| 83 | '"remote_user":"$remote_user",' |
||
| 84 | '"request":"$request",' |
||
| 85 | '"status": "$status",' |
||
| 86 | '"body_bytes_sent":"$body_bytes_sent",' |
||
| 87 | '"request_time":"$request_time",' |
||
| 88 | '"http_referrer":"$http_referer",' |
||
| 89 | '"http_user_agent":"$http_user_agent"' |
||
| 90 | '}'; |
||
| 91 | access_log syslog:server=unix:/dev/log,tag=nginx,severity=error,nohostname json_combined; |
||
| 92 | </pre> |
||
| 93 | }} |
||
| 94 | {{collapse(logstash.conf) |
||
| 95 | input { |
||
| 96 | file { |
||
| 97 | type => "syslog" |
||
| 98 | path => [ "/var/log/syslog" ] |
||
| 99 | start_position => "end" |
||
| 100 | } |
||
| 101 | } |
||
| 102 | |||
| 103 | filter { |
||
| 104 | if [type] == "syslog" { |
||
| 105 | grok { |
||
| 106 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:\s+%{GREEDYDATA:syslog_message}" } |
||
| 107 | } |
||
| 108 | json { |
||
| 109 | source => "[syslog_message]" |
||
| 110 | target => "[nginx_message]" |
||
| 111 | } |
||
| 112 | } |
||
| 113 | } |
||
| 114 | |||
| 115 | output { |
||
| 116 | stdout {} |
||
| 117 | } |
||
| 118 | }} |
||
| 119 | |||
| 120 | |||
| 121 | 2 | Константин Пильник | h3. ссылки |
| 122 | |||
| 123 | 1 | Константин Пильник | https://www.elastic.co/guide/en/logstash/current/input-plugins.html |
| 124 | https://www.elastic.co/guide/en/logstash/current/filter-plugins.html |
||
| 125 | https://www.elastic.co/guide/en/logstash/current/output-plugins.html |