收集日志的两种方式
ELK收集日志的有两种常用的方式:
- 不修改源日志格式,简单的说就是在logstash中转通过 grok方式进行过滤处理,将原始无规则的日志转换为规则日志(Logstash自定义日志格式)
- 修改 源日志格式,将需要的日志格式进行规则输出,logstash只负责日志的收集和传输,不对日志做任何过滤处理(filebeat生产者自定义日志格式)
优缺点:
首先我们来看下不修改源日志格式,这样Logstash会通过grok来处理分析,对线上业务无任何影响;但是在高压环境下,Logstash中的grok会成为性能瓶颈,最终会阻塞正常的日志输出,所以,在Logsatsh中,尽量不要使用grok过滤功能
第二种是修改 源日志格式,也就是在收集生产日志的过程中,自定义日志格式,虽然有一定的工作量,但是优势很明显,因为是实现定义好了日志输出格式,logstash那就只负责收集和传输了,这样大大减轻了logstash负担,可以更高效的收集和传输日志;是企业首选方案
自定义nginx日志格式
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
#关键配置start
map $http_x_forwarded_for $clientRealIp {
"" $remote_addr;
~^(?P<firstAddr>[0-9.]+),?.*$ $firstAddr;
}
log_format nginx_log_json '{"accessip_list":"$proxy_add_x_forwarded_for","client_ip":"$clientRealIp","http_host":"$host","@timestamp":"$time_iso8601","method":"$request_method","url":"$request_uri","status":"$status","http_referer":"$http_referer","body_bytes_sent":"$body_bytes_sent","request_time":"$request_time","http_user_agent":"$http_user_agent","total_bytes_sent":"$bytes_sent","server_ip":"$server_addr"}';
access_log /var/log/nginx/access.log nginx_log_json;
#关键配置end
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
输出的nginx日志
{
"accessip_list": "183.197.x.x",
"client_ip": "183.197.x.x",
"http_host": "xgzx.admin.talkmed.com",
"@timestamp": "2020-08-23T08:19:06+08:00",
"method": "POST",
"url": "/webapi/sessions/comments",
"status": "200",
"http_referer": "http://xgzx.talkmed.com/meeting/live?id=68",
"body_bytes_sent": "6481",
"request_time": "0.111",
"http_user_agent": "Mozilla/5.0 (iPad; CPU OS 12_4_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.15(0x17000f24) NetType/WIFI Language/zh_CN",
"total_bytes_sent": "7820",
"server_ip": "x.x.175.39"
}
字段解释
accessip_list:输出时代理叠加而成的IP地址列表
client_ip:客户端访问真实IP
http_host:客户端请求的地址,也就是浏览器输入的IP或者域名
@timestamp:时间戳,表示请求的时间
method:表示HTTP请求方法,通常为“GET”或者“POST”
url:表示客户端请求参数的原始URL
status:表示请求状态
http_reserer:表示来源页面,即从哪个页面请求过来的,专业名称叫referer
body_bytes_sent:表示发送客户端的字节数,不包括响应头的大小
request_time:表示请求处理时间,单位为秒,精度毫秒
http_user_agent:表示用户浏览器信息,例如浏览器版本,类型等
total_bytes_sent:表示传输给客户端字节数
server_ip:表示本地服务器的IP地址信息
filebeat配置
配置文件路径/etc/filebeat/filebeat.yml
inputs输入配置,配置项enabled: false,是否生效,默认是生效的,下面第一个log配置不生效,第二个生效
# ============================== Filebeat inputs ===============================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: false
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
#- c:programdataelasticsearchlogs*
- type: log
paths:
- /usr/local/nginx/logs/nginx_access.log
fields:
index: 'nginx_access_log'
当有多个input需要配置时,只要设置多个input即可,其key是不同的
output输出配置,这里输出到redis
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
# Array of hosts to connect to.
# hosts: ["localhost:9200"]
output.redis:
hosts: ["x.x.53.36:8417"]
password: ""
db: 0
timeout: 5
key: "%{[fields.index]:otherIndex}"
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
#username: "elastic"
#password: "changeme"
重启filebeat,当log文件有内容,进入到redis通过下面命令,可以看到对应的log内容
lleng nginx_access_log
lrange nginx_access_log 0 -1