说明
因为nginx可以自定义访问日志,而logstash处理json格式日志比较方便,所以可以先将nginx访问日志格式手动拼成json格式
修改nginx访问日志格式
http {
log_format json '{"@timestamp":"$time_iso8601",'
'"host":"$server_addr",'
'"clientip":"$remote_addr",'
'"size":"body_bytes_sent",'
'"responsetime":$request_time,'
'"upstreamtime":"$upstream_response_time",'
'"upstreamhost":"$upstream_addr",'
'"http_host":"$host",'
'"url":"$uri",'
'"xff":"$http_x_forwarded_for",'
'"referer":"$http_referer",'
'"agent":"$http_user_agent",'
'"status":"$status"}';
......
}
logstash配置
[root@localhost /usr/local/logstash-5.1.1]# vim config/conf.d/nginx.conf
input {
file {
path => "/var/log/nginx/access.log"
codec => json
}
}
filter {
mutate {
split => ["upstreamtime", ","]
}
mutate {
convert => ["upstreamtime","float"]
}
}
output {
elasticsearch {
hosts => "172.16.11.199"
index => "logstash-nginx-%{+YYYY.MM.dd}"
}
}
配置解释:
- input 标准输入,这里指定日志文件,格式为json格式
- filter 日志过滤,因为如果有代理服务器,upstreamtime会有多个值,这里先将多个upstream切割成数组,然后通过convert将值转化为浮点型,因为在mutate中convert的优先级高于split,所以这里只能分成两个mutate
kibana配置
-
添加索引
-
索引添加完成后即可看到以下界面
-
添加Visualize
-
构建网站访问状态码比例饼图
-
构建每个ip访问的url条形图
-
构建某一时刻用户访问网站的url