Json格式的好处 原生日志格式需要做正则匹配,比较麻烦 Json格式的日志不需要正则,能直接分段采 架构: Filebeat -> Logstash -> Elasticsearch -> Kibana 部署服务介绍(filebeat可以装在其他Nginx服务器上) 192.168.189.83: Kibana、ES 192.168.189.84: Logstash、Filebeat、Nginx 一、修改nginx 日志格式为Json格式:(189.84上操作) vim /usr/local/nginx/conf/nginx.conf 在http模块里面添加如下内容: log_format json '{"@timestamp":"$time_iso8601",' '"clientip":"$remote_addr",' '"status":$status,' '"bodysize":$body_bytes_sent,' '"referer":"$http_referer",' '"ua":"$http_user_agent",' '"handletime":$request_time,' '"url":"$uri"}'; access_log logs/access.log; access_log logs/access.json.log json;保存退出,重启Nginx。 二修改 filebeat配置文件 (189.84上操作) Filebeat采集Json格式的日志 cd /usr/local/filebeat-6.6.0/ cp filebeat.yml filebeat.20190610 vim filebeat.yml filebeat.inputs: - type: log tail_files: true backoff: "1s" paths: - /usr/local/nginx/logs/access.json.log output: logstash: hosts: ["192.168.189.84:5044"]
保存退出,重启filebeat.
nohup /usr/local/filebeat-6.6.0/filebeat -e -c /usr/local/filebeat-6.6.0/filebeat.yml >/tmp/filebeat.log 2>&1 &
三、修改Logstash配置文件 (189.84上操作) cd /usr/local/logstash-6.6.0/config cp logstash.conf logstash.conf.grep vim logstash.conf input { beats { host => '0.0.0.0' port => '5044' } } filter { json { source => "message" remove_field => ["message","@version","path","beat","input","log","offset","prospector","source","tags"] } } output { elasticsearch { hosts=>["http://192.168.189.83:9200"] } } 保存退出,重启Logstash。 ps -ef | grep logstash kill -9 logstash进程ID
nohup /usr/local/logstash-6.6.0/bin/logstash -f /usr/local/logstash-6.6.0/config/logstash.conf >/tmp/logstash.log 2>&1 & 四、Kibana上清空索引,重新触发日志,查看索引数据。
重新触发日志,在其他电脑上访问192.168.189.84的Nginx。
查看索引数据:
