Logstash » История » Версия 2
Константин Пильник, 2022-10-14 13:48
1 | 1 | Константин Пильник | h1. Logstash |
---|---|---|---|
2 | |||
3 | h2. разбираем лог syslog |
||
4 | |||
5 | {{collapse(logstash.conf) |
||
6 | input { |
||
7 | file { |
||
8 | type => "message" |
||
9 | path => [ "/var/log/messages" ] |
||
10 | start_position => "end" |
||
11 | stat_interval => 1 |
||
12 | discover_interval => 3 |
||
13 | } |
||
14 | } |
||
15 | |||
16 | filter { |
||
17 | if [type] == "message" { |
||
18 | grok { |
||
19 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:\s+%{GREEDYDATA:syslog_message}" } |
||
20 | } |
||
21 | date { |
||
22 | match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] |
||
23 | } |
||
24 | } |
||
25 | } |
||
26 | |||
27 | output { |
||
28 | stdout {} |
||
29 | } |
||
30 | }} |
||
31 | |||
32 | h2. разбираем лог nginx из файловой системы |
||
33 | |||
34 | {{collapse(nginx.conf) |
||
35 | <pre> |
||
36 | log_format json_combined escape=json |
||
37 | '{' |
||
38 | '"time_local":"$time_local",' |
||
39 | '"remote_addr":"$remote_addr",' |
||
40 | '"remote_user":"$remote_user",' |
||
41 | '"request":"$request",' |
||
42 | '"status": "$status",' |
||
43 | '"body_bytes_sent":"$body_bytes_sent",' |
||
44 | '"request_time":"$request_time",' |
||
45 | '"http_referrer":"$http_referer",' |
||
46 | '"http_user_agent":"$http_user_agent"' |
||
47 | '}'; |
||
48 | access_log /var/log/nginx/access.log json_combined; |
||
49 | </pre> |
||
50 | }} |
||
51 | {{collapse(logstash.conf) |
||
52 | <pre><code class="javascript"> |
||
53 | input { |
||
54 | file { |
||
55 | type => "nginx" |
||
56 | path => [ "/var/log/nginx/access.log" ] |
||
57 | start_position => "end" |
||
58 | } |
||
59 | } |
||
60 | |||
61 | filter { |
||
62 | if [type] == "nginx" { |
||
63 | json { |
||
64 | source => "message" |
||
65 | } |
||
66 | } |
||
67 | } |
||
68 | |||
69 | output { |
||
70 | stdout {} |
||
71 | } |
||
72 | </code></pre> |
||
73 | }} |
||
74 | |||
75 | h2. разбираем лог nginx из syslog |
||
76 | |||
77 | {{collapse(nginx.conf) |
||
78 | <pre> |
||
79 | log_format json_combined escape=json |
||
80 | '{' |
||
81 | '"time_local":"$time_local",' |
||
82 | '"remote_addr":"$remote_addr",' |
||
83 | '"remote_user":"$remote_user",' |
||
84 | '"request":"$request",' |
||
85 | '"status": "$status",' |
||
86 | '"body_bytes_sent":"$body_bytes_sent",' |
||
87 | '"request_time":"$request_time",' |
||
88 | '"http_referrer":"$http_referer",' |
||
89 | '"http_user_agent":"$http_user_agent"' |
||
90 | '}'; |
||
91 | access_log syslog:server=unix:/dev/log,tag=nginx,severity=error,nohostname json_combined; |
||
92 | </pre> |
||
93 | }} |
||
94 | {{collapse(logstash.conf) |
||
95 | input { |
||
96 | file { |
||
97 | type => "syslog" |
||
98 | path => [ "/var/log/syslog" ] |
||
99 | start_position => "end" |
||
100 | } |
||
101 | } |
||
102 | |||
103 | filter { |
||
104 | if [type] == "syslog" { |
||
105 | grok { |
||
106 | match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:\s+%{GREEDYDATA:syslog_message}" } |
||
107 | } |
||
108 | json { |
||
109 | source => "[syslog_message]" |
||
110 | target => "[nginx_message]" |
||
111 | } |
||
112 | } |
||
113 | } |
||
114 | |||
115 | output { |
||
116 | stdout {} |
||
117 | } |
||
118 | }} |
||
119 | |||
120 | |||
121 | 2 | Константин Пильник | h3. ссылки |
122 | |||
123 | 1 | Константин Пильник | https://www.elastic.co/guide/en/logstash/current/input-plugins.html |
124 | https://www.elastic.co/guide/en/logstash/current/filter-plugins.html |
||
125 | https://www.elastic.co/guide/en/logstash/current/output-plugins.html |