一、需求背景
通过ELK来分析nginx日志文件,默认格式为log格式,传输到es中需要经过grok插件进行处理并转换成json格式,这一过程很消耗logstash资源的,而且传入到es中的字段并不容易分析,所以在收集端先将日志转为json格式。
二、具体配置
修改Nginx主配置文件
vim /usr/local/nginx/conf/nginx.conf
在http对应站点log_format模块增加以下配置:
log_format json '{ "@timestamp": "$time_iso8601", ''"time": "$time_iso8601", ''"clientip": "$remote_addr", ''"remote_user": "$remote_user", ''"body_bytes_sent": "$body_bytes_sent", ''"request_time": "$request_time", ''"status": "$status", ''"host": "$host", ''"request": "$request", ''"request_method": "$request_method", ''"uri": "$uri", ''"http_referrer": "$http_referer", ''"body_bytes_sent":"$body_bytes_sent", ''"http_x_forwarded_for": "$http_x_forwarded_for", ''"http_user_agent": "$http_user_agent" ''}';
在server配置项之下,增加:
access_log /var/log/nginx/io.log json;
三、重载nginx生效
[root@ELK-Master nginx]# tail -f /var/log/nginx/io.log{ "@timestamp": "2023-11-07T10:45:03+08:00", "time": "2023-11-07T10:45:03+08:00", "clientip": "192.168.3.13", "remote_user": "-", "body_bytes_sent": "0", "request_time": "0.000", "status": "304", "host": "192.168.3.88", "request": "GET / HTTP/1.1", "request_method": "GET", "uri": "/index.html", "http_referrer": "-", "body_bytes_sent":"0", "http_x_forwarded_for": "-", "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36" }
